GDPR Store Manager’s Training Checklist

1. There is a new risk assessment, which the manager has filled out and which all employees must take note of. All employees must sign to confirm that they have understood it.

2. A data protection notice is posted on the bulletin board. Employees should take the time to read and understand it. It provides information about why certain information is requested, used, where it is stored, and how long it is kept. It provides information about employee rights in this context. In the event of questions or complaints, the contact details of the data protection officer are listed in the data protection notice.

3. For handling CCTV footage: a. Access to recorded video footage is restricted to the manager and deputy manager only. b. Printing photos and burning discs of recorded video surveillance footage is prohibited unless requested by the Police Department and may only be done by the manager or his/her designee. c. Burned discs and photographs must be kept under lock and key until picked up by the police. d. Receipts for discs and photos must be issued by the police.

4. No personal data of persons (employees, visitors, customers), including personal telephone numbers, may be left openly visible on desks, behind cash registers, or on walls.

5. All personnel files and data must be kept under lock and key, with access restricted to the manager and his/her deputy.

6. Personal data and/or opinions may not be emailed to anyone without good reason: a. Photos of RTW documentation may not be emailed/SMS/Whatsapp, etc. to anyone. A copy should only be kept in the personnel file at the branch. Copies may not be made by phone or camera. A copy should be kept in the personnel file at the branch only. Copies may not be made by telephone or camera. If you have any such copies stored on your phone or camera, please delete them immediately. b. Forms from new employees can only be sent to the appropriate department for payroll purposes, no one else.

7. No information or opinions about employees, customers, visitors or the company may be disseminated on social media such as Facebook, Whatsapp, Twitter, Linked In, etc. a. If you are part of a Whatsapp group or use social media, please make sure to follow the instructions above. b. Do not engage in social media conversations about colleagues, customers, visitors, or the company, as this may be considered a breach of privacy. You must report such conversations, even if you did not participate in them, to the Data Protection Officer immediately.

8. Memory sticks, USBs, cell phones or other recording devices must not be connected to the company's IT equipment at any time. As a manager, you must randomly check all of your IT equipment on a weekly basis to ensure that no such devices are connected.

9. Downloading and/or uploading information, including filming with cell phones, to and/or from the company's IT equipment is strictly prohibited without the express prior permission of the Commercial Manager. If the police urgently need a copy of video recordings and have asked to save them on a memory stick, permission should still be obtained from management in advance.

10. A data access request is when an employee, customer, or visitor has formally requested to be provided with all data stored about him/her, including video surveillance images, personnel files, etc. Because there are strict guidelines and deadlines for complying with these requests, and the company is legally responsible if the appropriate law is not followed, such requests must be immediately forwarded to the Privacy Officer. These requests can be made by phone, in person, by letter, by email, or via social media. Please make sure you understand the importance and potential impact of data access requests. Failure to comply can result in large fines for the company.

11. A data protection breach is a breach of the General Data Protection Regulation and may result in material and/or immaterial damage to an individual, regardless of whether the individual is an employee, customer, or visitor. a. An employee's address information is left open on the desk. A visitor could look at this information, look at the duty roster hanging on the wall, and know when that employee is not home. This could lead to their home being broken into, with material (financial damage) and non-material damage (psychological distress, anxiety, peace of mind) to the person involved. b. A staff member records details of video surveillance camera footage on their cell phone and shares it on Facebook. The surveillance footage shows the image of a child, which could then be shared on the dark web. This would result in intangible harm to the child, his parents, and his family. c. A photo taken from the CCTV is pinned on the wall in the office with the caption "This is a shoplifter". A visitor sees the photo and knows this person as a neighbor. The visitor then tells all the other neighbors that this person is a shoplifter, but that we were mistaken and that it is a photo of the wrong person. This would result in immaterial damage to the person. d. Personnel files are stored in an unlocked cabinet. Overnight the cabinet is broken into and the burglars now have access to new employee forms, bank account information, copies of RTW, and proof of address. They now have everything they need to empty all employees' bank accounts. This will result in tangible and intangible damage. A breach or even the possibility of a breach must be reported immediately, even if you are not sure if it is a breach or not. The company must report it to the data protection authority within a very strict timeframe. The consequences of a breach and/or late notification are heavy fines and/or the data subject may sue for material and non-material damages.

12. CVs of rejected potential employees, both hard copy and PDF, may not be retained without the express written permission of the owner, and if retained, must be securely locked away.

13. Interview notes of rejected potential employees must be kept for a minimum of 6 months and a maximum of 12 months in case of a legal dispute. They must be kept securely locked.

14. Interview notes of rejected potential employees must be kept for a minimum of 6 months and a maximum of 12 months in case of a legal dispute. They must be kept securely locked.

15. Debit and credit cards left behind by customers must be kept securely locked away until they are collected and, if not collected, destroyed after 3 days. An ID card must be presented at the time of collection.

16. Managers must personally provide this information to all employees and verify their agreement within one week. A sign-off document will be provided that must be completed in full and signed by all employees and sent to the Data Protection Officer.

I acknowledge that I have received a copy of this document and fully understand what is required of me.

Name and Signature of Manager