1. Description of the Project’s Purpose
Summary: The aim of this description is to introduce the scope of the privacy scan with a brief description of the project (its background, goals, what it is trying to achieve, the service it is trying to provide, etc.), followed by a description of the specific personal data processing activities, like interviews, observations or surveys, that are required by the project – as these activities will then be the focus of the following steps of the Privacy Scan.
The use of personal data must be justified – it must fulfil a purpose. The purpose is what ultimately defines the motivation for the use of personal data – how reasonable, justifiable, is to use personal data to achieve that goal. This is the first step to assess necessity and proportionality.
The purpose of the project is then described in Step 1. This description starts by introducing the project by providing a summary that explains what the project is trying to achieve, or the services it meant to provide. This summary helps the reader – often, the privacy officer – to understand the scope of the activity, so it should be written in clear and concise language, understandable to people who are not experts in the topic.
This is followed by a description of the specific activities – surveys, interviews – that involve the use of personal data that necessary to achieve the purpose. These activities must be adequately explained as necessary. While activities like conducting interviews or sharing a survey do not need additional explanations, activities like ´societal dialogues’ or ‘the Delphi methodology’ do require additional explanations so that the reader can actually understand how these activities use personal data. It must be clear what is the nature of the described activity – in what form does it involve personal data?
It is important to properly define these processing activities in Step 1, because each one of these activities are going to be described in the following steps – so, if the project plans to run a survey and conducts interviews, the privacy scan needs to describe both of these activities in all the following steps, by for example describing the data subjects involved (step 2), the types of data (step 3), and the information provided to survey participants and (separately) to interview participants.
If a project consists of more than a few activities, like large projects with several individual working packages, it may be more manageable to conduct separate individual Privacy Scans on each of the (smaller) working packages, instead of a large and complicated document on the larger project. Doing so would also make the process more manageable, as Privacy Scans need to be fully completed before a project is submitted for ethics approval.
If available, it is a good idea to include additional documentation, like the project proposal, that can describe the project in a more thorough manner. A link to these documents should then be added to the text in Step 1, and the documents stored in the shared folder of the project
Previous: Introduction | Next: Description of Data Subjects
- Description of the Project’s Purpose
- Description of Data Subjects
- Description of the Categories and Purposes of Personal Data
- Description of the Processing of Personal Data
- Description of Information Provided to Data Subjects
- Description of How Data Subjects Can Exercise Their Data Subject Rights
- Description of Lawful Basis for Processing
- Description of Measures to Ensure Compliance By Processors and/or Joint Controllers
- Description of Planned Transfers of Personal Data to Other Countries Outside the EU
- Obtaining, Consulting, and Dealing with Data Subjects’ Views of the Processing
- Preliminary Risk Assessment