Article 5
Processing regulations for private persons
- The private controller and its private processor must issue regulations on automated processing if they:
- a. process a large volume of sensitive personal data; or
- b. carry out high-risk profiling.
- The regulations must in particular include details of the internal organisational structure, data processing and control procedures and the measures that guarantee data security.
- The private controller and its private processor must update the regulations regularly. If a data protection officer has been appointed, the regulations must be made available to the officer.