Home
login

GDPR e-tool

Discover how EPACA promotes transparency, integrity, and professionalism in European public affairs. Learn about the Code of Conduct, ethical standards, and the principles guiding responsible lobbying across EU institutions.

Identifying the data controller of the stakeholder mapping project

2. Identifying an appropriate legal basis

2.1 Main legal ground for the processing

2.2 Processing special categories of data?

2.2.1 Definition

2.2.2 Am I allowed to process special categories of personal data?

3. Complying with general data protection principles

  • Lawfulness, Fairness & Transparency

    Stakeholders must be informed about the processing activity (in particular via your website, links in email footers, etc.).

  • Purpose Limitation

    Information relating to stakeholders should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

  • Data minimisation

    Information collected about stakeholders should be adequate, relevant and limited to what is necessary in relation to the stakeholder mapping’s purposes.

  • Lawfulness, Fairness & Transparency

    Stakeholders must be informed about the processing activity (in particular via your website, links in email footers, etc.).

  • Purpose Limitation

    Information relating to stakeholders should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

  • Data minimisation

    Information collected about stakeholders should be adequate, relevant and limited to what is necessary in relation to the stakeholder mapping’s purposes.

4. Focus on the transparency principle

A bespoke privacy notice relating to stakeholder mapping has been drafted and it needs to be completed to include all the information required by the GDPR. It should be published on the website of your organisation and be easily accessible from any webpage of your website, e.g. via the footer at the bottom of each page.

You should also include a hyperlink to the privacy notice in the signature block of every outgoing email.

5. Complying with other generic GDPR provisions

  • Facilitating data subjects’ rights

    Set up a dedicated mailbox for data protection matters to make it easy for individuals to contact you.
    Ensure sufficient internal or external resources are available to handle any request.
 Establish a clear internal procedure to process and respond to data subject requests promptly.

  • Security measures

    Implement appropriate technical and organisational safeguards to protect personal data.
    Ensure employees with access are bound by confidentiality obligations.
 Restrict access to stakeholder information and use encryption when sharing sensitive files.

  • International transfers

    Assess whether personal data will be transferred outside the European Economic Area.
    If so, implement suitable safeguards such as Standard Contractual Clauses or Binding Corporate Rules.
 Ensure equivalent protection by applying security measures like encryption or pseudonymisation.

  • Subcontracting

    Identify all external processors involved in your stakeholder mapping activities.
 Sign a compliant data processing agreement with each provider under Article 28 of the GDPR.
    Ensure that all processors apply the same high level of data protection and security standards.