Version 6 – Date of release: 7 July 2023

This Data Processing Agreement (“DPA”) forms part of the Dripcel master services agreement (“Principal Agreement”) between Dripcel and the Customer and is subject to the Principal Agreement.

1. Definitions

This Data Processing Agreement (“DPA”) is part of the Dripcel master services agreement (“Principal Agreement”) between Dripcel and the Customer and is subject to the Principal Agreement. For the purposes of this DPA, capitalized terms are defined as follows. Terms not otherwise defined shall have the meaning given in the Principal Agreement.


(a) “Customer’s Personal Data” refers to any personal data processed by Dripcel on behalf of the Customer to perform Services under the Principal Agreement.


(b) “Applicable Data Protection Laws” include the GDPR as implemented in domestic legislation of each Member State (and the United Kingdom) and any amendments, replacements, or supersessions, as well as laws implementing, replacing, or supplementing the GDPR, including the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq (“CCPA”).


(c) “GDPR” refers to the General Data Protection Regulation (EU) 2016/679, concerning the protection of natural persons regarding the processing of personal data and the free movement of such data.


(d) “Dripcel Infrastructure” includes (i) Dripcel’s physical facilities, (ii) hosted cloud infrastructure, (iii) Dripcel’s corporate network, and the non-public internal network, software, and hardware necessary to provide the Services controlled by Dripcel, to the extent used to provide the Services.


(e) “Restricted Transfer” means transferring the Customer’s Personal Data from Dripcel to a sub-processor, which would be prohibited by Applicable Data Protection Laws (or the terms of data transfer agreements established to address the data transfer restrictions of Applicable Data Protection Laws) without appropriate safeguards as required under Applicable Data Protection Laws.


(f) “Services” refer to the services provided to the Customer by Dripcel as per the Principal Agreement.


(g) “Standard Contractual Clauses” means the latest version of the standard contractual clauses for the transfer of personal data to processors in third countries under the GDPR, as annexed to European Commission Decision 2021/914 (EU) of June 4, 2021.


(h) “UK Addendum” refers to the United Kingdom Addendum (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses) available at


(i) The terms “consent”, “controller”, “data subject”, “Member State”, “personal data”, “personal data breach”, “processor”, “sub-processor”, “processing”, “supervisory authority,” and “third party” shall have the meanings assigned to them in Article 4 of the GDPR or the CCPA, where applicable.

2. Compliance with Applicable Data Protection Laws

(a) Dripcel and the Customer shall comply with the provisions and obligations imposed on them by the Applicable Data Protection Laws and shall ensure their employees and sub-processors do the same.

3. Details and Scope of the Processing

(a) The Processing of the Customer’s Personal Data under the Agreement shall comply with the following stipulations and Article 28(3) of the GDPR. This information may be amended by the parties as necessary to meet these requirements.


(i) Subject matter and duration of the processing of personal data are outlined in the Principal Agreement.


(ii) Nature and purpose of the processing of personal data: As detailed in the Principal Agreement, Dripcel provides services such as messaging, email, voice calls, and other communication services to the Customer, involving the processing of personal data. Subject to section 3(a)(iv), these activities include (a) providing the Services; (b) detecting, preventing, and resolving security and technical issues; and (c) responding to Customer’s support requests.


(iii) Types of personal data to be processed: The personal data submitted to Dripcel’s network, as determined and controlled solely by the Controller, may include names, emails, telephone numbers, IP addresses, and other personal data in contact lists and message or call content.


(iv) Independent Data Controller Exclusion: Notwithstanding any other provision herein, when processing personal data for communication services, including SMS, email, voice, and other media transmissions, Dripcel acts as an independent data controller, not as a joint controller. This is to provide communication services, prevent spam and fraud, ensure security, maintain its network, manage its business, and comply with applicable laws.


(v) Categories of data subjects: Senders and recipients of emails, SMS messages, voice calls, or other communications.


(b) Dripcel shall process the Customer’s Personal Data (i) to fulfill its obligations under the Principal Agreement and (ii) according to documented instructions described in this DPA or as otherwise instructed by the Customer. Such instructions shall be documented in applicable orders, service descriptions, support tickets, written communications, or as directed by the Customer using the Services (e.g., via an API or control panel).


(c) If Dripcel reasonably believes a Customer instruction contradicts the Principal Agreement or this DPA, or infringes the GDPR or other data protection provisions, it shall inform the Customer without delay. Dripcel may defer the instruction’s performance until amended by the Customer or mutually agreed upon by both parties.


(d) The Customer is solely responsible for managing personal data submitted or transmitted by the Services, including (i) verifying recipient information such as phone numbers or addresses for accuracy, (ii) reasonably notifying recipients of the insecure nature of email or messaging for transmitting personal data (if applicable), (iii) reasonably limiting the amount or type of information disclosed through the Services, and (iv) encrypting personal data transmitted through the Services when appropriate or required by law (e.g., using encrypted attachments, PGP toolsets, or S/MIME). If the Customer opts not to configure mandatory encryption, they acknowledge that the Services may include transmitting unencrypted emails in plain text over public internet and open networks. Information uploaded to the Services, including message content, is stored in an encrypted format when processed by the Dripcel Infrastructure.

4. Controller and Processor


(a) For the purposes of this DPA, the Customer is the controller of the Customer’s Personal Data, and Dripcel is the processor of such data, except when the Customer acts as a processor of the Customer’s Personal Data, in which case Dripcel is a sub-processor.


(b) Dripcel shall at all times have an officer responsible for assisting the Customer (i) in responding to inquiries concerning the Data Processing received from Data Subjects, and (ii) in completing all legal information and disclosure requirements associated with the Data Processing. Such assistance may be requested at [email protected].


(c) The Customer warrants that:

(i) The processing of the Customer’s Personal Data is based on legal grounds as required by Applicable Data Protection Laws, and that it has made and shall maintain throughout the term of the Principal Agreement all necessary rights, permissions, registrations, and consents as required by Applicable Data Protection Laws with respect to Dripcel’s processing of the Customer’s Personal Data under this DPA and the Principal Agreement.

(ii) It is entitled to and has all necessary rights, permissions, and consents to transfer the Customer’s Personal Data to Dripcel and otherwise permit Dripcel to process the Customer’s Personal Data on its behalf, so that Dripcel may lawfully use, process, and transfer the Customer’s Personal Data to carry out the Services and perform Dripcel’s other rights and obligations under this DPA and the Principal Agreement.

(iii) It will inform its Data Subjects about its use of Processors in Processing their personal data, to the extent required under Applicable Data Protection Laws.


5. Confidentiality

(a) Dripcel shall ensure its personnel and sub-processors are subject to confidentiality agreements and trained on security and data protection requirements.

6. Technical and Organizational Measures

(a) Dripcel shall, in relation to the Customer’s Personal Data, (a) take and document reasonable and appropriate measures, as described in Annex 2, in relation to the security of the Dripcel Infrastructure and the platforms used to provide the Services as described in the Principal Agreement, and (b) on reasonable request at the Customer’s cost, assist the Customer in ensuring compliance with the Customer’s obligations pursuant to Article 32 of the GDPR.


(b) Dripcel’s internal operating procedures shall comply with the specific requirements of an effective Data Protection management.


7. Data Subject Requests

(a) Dripcel offers specific tools to help customers respond to data subject requests. These tools include APIs and interfaces for searching event data, managing suppressions, and retrieving message content. When Dripcel receives a complaint, inquiry, or request related to the Customer’s Personal Data directly from data subjects, including requests to exercise their rights under Applicable Data Protection Laws, Dripcel will notify the Customer. Considering the nature of the processing, Dripcel will assist the Customer with appropriate technical and organizational measures to the extent reasonably possible, enabling the Customer to fulfill their obligation to respond to such data subject requests.

8. Personal Data Breaches

(a) Dripcel shall notify the Customer without undue delay once it becomes aware of a personal data breach affecting the Customer’s Personal Data. Considering the nature of the processing and the information available, Dripcel will use commercially reasonable efforts to provide the Customer with sufficient information. This will enable the Customer, at their own expense, to meet any obligations to report or inform regulatory authorities, data subjects, and other entities of such a personal data breach as required under Applicable Data Protection Laws.

9. Data Protection Impact Assessments

(a) Dripcel shall, considering the nature of the processing and the information available, provide reasonable assistance to the Customer at the Customer’s expense, with any data protection impact assessments and prior consultations with supervisory authorities or other competent regulatory bodies as required for the Customer to fulfill its obligations under Applicable Data Protection Laws.

10. Audits

(a) Dripcel shall, upon reasonable request, provide the Customer with information necessary to demonstrate compliance with this DPA.


(b) The Customer, or a mandated third-party auditor, may conduct an inspection related to the Processing of the Customer’s Personal Data by Dripcel, upon written reasonable request, to the extent necessary according to Data Protection Laws, without disrupting Dripcel’s business operations and ensuring confidentiality.


(c) The audit right described in Paragraph 10(b) will apply if Dripcel has not provided sufficient evidence of compliance with this DPA. Sufficient evidence includes: (i) a certification of compliance with ISO 27001 or other standards implemented by Dripcel (as defined in the certificate); or (ii) an audit or attestation report by an independent third party. Audits described in this Paragraph 10 shall be conducted at the Customer’s cost and expense.


11. Return or Destruction of Personal Data

(a) The Customer may, by written notice to Dripcel no later than the time of termination of the Principal Agreement, request the return and/or certification of deletion of all copies of the Customer’s Personal Data held by Dripcel and its sub-processors. Dripcel shall provide a copy of the Customer’s Data in a readable and processable format.


(b) Within ninety (90) days following account termination, Dripcel shall delete all personal data processed under this DPA, unless the Customer requests the return of personal data as described in Paragraph 11(a). This provision does not affect statutory duties of the Parties to preserve records for retention periods set by law, statute, or contract.

(c) Any additional costs arising from the return of personal data after the termination or expiration of the Agreement shall be borne by the Customer.

12. Data Transfers

(a) The Standard Contractual Clauses and, if required, the UK Addendum, with Dripcel acting as the data importer and the Customer as the data exporter, are incorporated into this DPA. If Dripcel’s arrangement with a sub-processor involves a Restricted Transfer, Dripcel shall ensure that the onward transfer provisions of the Standard Contractual Clauses and/or UK Addendum are incorporated into the Principal Agreement, or otherwise agreed upon between Dripcel and the sub-processor. The Customer agrees to exercise its audit right under the Standard Contractual Clauses by instructing Dripcel to conduct the audit set out in Paragraph 10.


(b) The Customer acknowledges and agrees that, in connection with the performance of the Services under the Agreement, Dripcel may transfer personal data within its company group. These transfers are needed to provide the Services globally.


(c) For transfers of personal data from the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom to countries that do not ensure an adequate level of data protection as defined by Data Protection Laws, the following safeguards are implemented: (i) Standard Contractual Clauses as per European Commission’s Decision 2021/914/EU of June 4, 2021, (ii) UK Addendum, and (iii) additional safeguards regarding security measures, including data encryption, data aggregation, separation of access controls, and data minimization principles.


  1. Sub-processing

(a) The Customer hereby grants Dripcel general authorization to appoint sub-processors in accordance with this Paragraph 13 and Annex 1. Dripcel will ensure that sub-processors are bound by written agreements that require them to provide a level of data protection at least equivalent to that required of Dripcel under this DPA. The Customer also specifically authorizes Dripcel to continue using the sub-processors already engaged as of the date of this DPA, as referenced in section (b).

(b) The current sub-processors for the Services are listed at Sub-processor List. If the Customer subscribes to notifications of new sub-processors through the subscription mechanism at subscription link, Dripcel shall notify the Customer through this mechanism at least thirty (30) days in advance of any intended changes regarding the addition or replacement of any sub-processor. If the Customer has reasonable objections to the proposed appointment, they must notify Dripcel in writing within ten (10) business days of receiving the notice. Dripcel will not appoint the proposed sub-processor until reasonable steps have been taken to address the Customer’s objections, and the Customer has received a reasonable written explanation of the steps taken. If Dripcel and the Customer cannot resolve the issue within a reasonable period, either party may terminate the Principal Agreement for cause.

(c) Dripcel shall be responsible for the acts and omissions of any sub-processors to the same extent that it is responsible to the Customer for its own acts and omissions under this DPA.

14. Governing Law and Jurisdiction

(a)  The parties to this DPA agree to submit to the jurisdiction specified in the Principal Agreement for any disputes or claims arising under this DPA, including disputes about its existence, validity, termination, or consequences of its nullity.


(b) This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory specified for this purpose in the Principal Agreement.


(c) Notwithstanding Paragraphs (a) and (b) above, all obligations arising out of or in connection with the Standard Contractual Clauses incorporated into this DPA shall be governed by the laws of the EU Member State specified in Annex 1, as required for the validity of those Standard Contractual Clauses according to European Commission’s Decision 2021/914/EU of June 4, 2021.


15. Order of Precedence

(a) In the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Principal Agreement, and agreements entered into or purported to be entered into after the date of this DPA (except where explicitly agreed otherwise in writing and signed on behalf of the parties), the provisions of this DPA shall prevail with regard to the subject matter of this DPA.


16. Severance

(a) If any provision of this DPA is found to be invalid or unenforceable, the remainder of this DPA shall remain in full force and effect. The invalid or unenforceable provision shall either (i) be amended as necessary to ensure its validity and enforceability, while preserving the parties’ original intentions as closely as possible, or (ii) if amendment is not possible, be construed as if the invalid or unenforceable part had never been included.

17. Termination

(a) Upon termination of the Principal Agreement, this DPA and the Standard Contractual Clauses will terminate once Dripcel fulfills its obligation to delete the personal data under processing in accordance with Paragraph 11.


(b) Any amendment or variation to this DPA shall only be binding on the Parties if it is set out in writing and signed by authorized representatives of each Party.





Regarding the Standard Contractual Clauses, the Parties agree as follows:


(a) Module 2 (Controller-to-Processor) shall apply where Dripcel acts as the Customer’s data processor, and Module 3 (Processor-to-Processor) shall apply where Dripcel acts as the Customer’s sub-processor. For each applicable Module:


(b) Clause 7 (Docking clause) is included;


(c) In accordance with Clause 9.a) (Use of sub-processors), Option 2: General written authorization will apply. The data exporter grants the data importer general authorization to engage sub-processors from an agreed list. The data importer must inform the data exporter in writing of any intended changes to that list, including the addition or replacement of sub-processors, at least thirty (30) days in advance;


(d) The optional wording in Clause 11 (Redress) concerning independent resolution bodies is excluded;


(e) For Clause 13 (Supervision), the competent supervisory authority shall be IMY, the Swedish Data Protection Authority;


(f) Option 1 of Clause 17 (Governing law) shall apply, designating the laws of Sweden as governing the Standard Contractual Clauses;


(g) For Clause 18 (Choice of forum and jurisdiction), the courts of Sweden shall resolve any disputes arising from the Standard Contractual Clauses;


(h) Annex IA (List of Parties) and Annex IB (Description of Transfer) shall be completed using the information and details specified in the Principal Agreement and referenced in Paragraph 3 of the DPA;


(i) Annex IB (Description of Transfer) shall be additionally completed by stating that no sensitive data will be transferred. The transfer will occur continuously. For transfers to sub-processors, the subject matter, nature, and duration of the processing will align with that of the data importer;


(j) In Annex IC, the competent supervisory authority under Clause 13 is IMY, the Swedish Data Protection Authority;


(k) Annex II describes the Technical and Organizational Measures, as outlined in Annex 2 of the DPA;


(l) Annex III includes the List of Sub-processors, as detailed in Annex 3 of the DPA.


(i) Annex IB (Description of Transfer) shall further specify that no sensitive data will be transferred. The transfers will occur continuously. For transfers to sub-processors, the subject matter, nature, and duration of the processing shall align with that of the data importer;


(j) For Annex IC, the competent supervisory authority per Clause 13 is IMY, the Swedish Data Protection Authority;


(k) Annex II will describe the Technical and Organizational measures as detailed in Annex 2 of the DPA;


(l) Annex III will include the List of Sub-processors as detailed in Annex 3 of the DPA.




The Technical and Organizational Measures outlined in this Annex apply to the Service(s) provided by Dripcel. If required for the Service, Dripcel may specify additional Technical and Organizational measures within the Service Order or Service.


1. Information and Asset Inventory


An inventory of information and associated assets, including their respective owners, is developed and maintained. Each asset in the inventory has an appointed asset owner in accordance with the asset tagging policy.


2. Authentication Information


The allocation and management of authentication information are controlled through a management process, which includes advising personnel on proper handling practices.


Specifically, Dripcel:


  • Does not restrict the characters that can be used.
  • Requires passwords to be at least 16 characters long.
  • Does not use secret questions as the sole method for password resets.
  • Requires email verification for password change requests.
  • Mandates the current password in addition to the new password during password changes.
  • Verifies newly created passwords against common password lists and leaked password databases.
  • Regularly checks existing user passwords for compromise.
  • Ensures memorized secrets are salted and hashed using an appropriate one-way key derivation function.
  • Enforces account lockout and brute-force protection, locking accounts after a maximum of 5 failed login attempts for 30 minutes.
  • Prevents the reuse of the last 24 passwords.
  • Requires password changes every 365 days.
  • Allows guest network passwords to never expire if they follow the minimum length requirement of 16 characters.
  • Utilizes multi-factor authentication (MFA) and single sign-on (SSO) in all applicable scenarios.

3. Access Rights


Access rights to information and associated assets are provisioned, reviewed, modified, and removed in accordance with the organization’s specific policies and access control rules.


Specifically, at Dripcel:


  • Access rights undergo a quarterly review.
  • User accounts inactive for over 90 days can get deactivated .
  • Quarterly access reviews are conducted for all office access systems to ensure user access rights remain valid.

4. ICT Readiness for Business Continuity


ICT readiness is planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.


Specifically, at Dripcel:


  • All Business Units maintain one or more Disaster Recovery Plans aligned with their product offerings.
  • The Disaster Recovery Plan (DRP) is tested annually using Incident Simulations.

5. Information Security Awareness, Education, and Training


Personnel and relevant interested parties receive appropriate training on information security awareness, education, and regular updates on the organization’s information security policy, topic-specific policies, and procedures relevant to their job functions.


Specifically, at Dripcel:


  • All employees complete training within three weeks of their start date.
  • All employees have undergone Information Security Awareness (ISA) training within the last 12 months.
  • The content of the ISA training is updated every 12 months.


6. Capacity Management


Resource usage is monitored and adjusted according to current and anticipated capacity requirements.

7. Protection Against Malware


Measures to protect against malware are implemented and supported by appropriate user awareness. All endpoint devices should include EDR (Endpoint Detection and Response).


8. Management of Technical Vulnerabilities


Information regarding technical vulnerabilities in use is obtained, Dripcel’s exposure to such vulnerabilities is evaluated, and appropriate measures are taken.


Specifically, at Dripcel:


  • Vulnerability scans are conducted every seven days.
  • Security patches are applied to all components of the application stack with severity scores higher than “Medium” (as determined by the issuer of the patch) within one month (30 days) after release.
  • Penetration tests are performed annually using black box manual methods.


9. Configuration Management


Configurations, including security configurations for hardware, software, services, and networks, are established, documented, implemented, monitored, and reviewed against standards such as NIST 800-53 and CIS Controls.


10. Information Backup


Backup copies of information, software, and systems are maintained and regularly tested according to the agreed topic-specific policy on backups.


The backup routine specifies:


  • Backup intervals (minimum weekly)
  • Retention requirements
  • Backup storage locations
  • Extent of backup (e.g., data, configurations, full system backup)
  • Backup strategy (e.g., online versus offline, number of backups, relationship between full and incremental backups)
  • Backup restore tests are performed at least quarterly for business-critical systems and annually for all others.


11. Monitoring Activities


Networks, systems, and applications are monitored for anomalous behavior and appropriate actions are taken to evaluate potential information security incidents. These are monitored for unusual and malicious behavior to detect potential security incidents.


12. Network Security


Networks and network devices are secured, managed, and controlled to protect information in systems and applications.


For example, Dripcel:


  • Encrypts data at rest on servers, applications, and databases (AES256 minimum) and data in transit (TLS 1.2 or higher).
  • Implements logging and monitoring to enable recording and detection of actions that can affect or are relevant to information security, including EDR.
  • Ensures product owners maintain up-to-date documentation, including network diagrams and configuration files of devices (e.g., routers, switches).
  • Restricts and filters system connections to the network, both incoming and outgoing, using firewalls to minimize exposed assets both internally and externally.
  • Hardens network devices.
  • Segregates network administration channels from other network traffic.
  • Temporarily isolates critical subnetworks (e.g., with drawbridges) if the network is under attack.


13. System Life Cycle Management


Guidelines for the secure development of software and systems are defined and implemented.


For example, at Dripcel:


  • Systems are designed securely, utilizing threat modeling as required.
  • There is a plan to maintain the system in line with vulnerability management controls.
  • Each system has an appointed owner.
  • There is a plan to replace systems in accordance with a zero legacy policy.


14. Security Testing in Development and Acceptance


Security testing processes are defined and implemented throughout the development life cycle.


For example:


  • SAST and vulnerability & secrets detection scans are used in CICD pipelines, and if possible, DAST.
  • No critical or high vulnerabilities are released to customers before remediation.
  • Network infrastructure is managed securely.
  • All projects follow Product Release Security Checklists.

15. Measures for Ensuring Physical Security of Locations Processing Personal Data


Dripcel has implemented robust physical and environmental security measures.


For example, at Dripcel:


  • Security perimeters are defined to protect areas containing information and associated assets.
  • Secure areas are guarded with appropriate entry controls and access points.
  • Physical security measures for offices, rooms, and facilities are designed and enforced.
  • Premises are continuously monitored to prevent unauthorized physical access.
  • Measures to protect against physical and environmental threats, such as natural disasters or intentional physical threats, are in place.
  • Security measures are enforced for working in secure areas.
  • Clear desk and clear screen policies are defined and enforced for papers, removable storage media, and information processing facilities.
  • Equipment is securely sited and protected.
  • Off-site assets are safeguarded.
  • Storage media is managed throughout its lifecycle according to the organization’s classification scheme and handling requirements.
  • Information processing facilities are safeguarded against power failures and other disruptions..
  • Cables carrying power, data, or supporting information services are protected from interception, interference, and damage.
  • Equipment is maintained properly to ensure the availability, integrity, and confidentiality of information.
  • Items of equipment containing storage media are verified to ensure sensitive data and licensed software are removed or securely overwritten before disposal or reuse.
  • Dripcel has an Information Security Management System (ISMS) compliant with ISO/IEC 27001:2022.


16. Measures for Ensuring Limited Data Retention


Dripcel has implemented measures to ensure limited retention of personal data.


For example, Dripcel:


  • Established a data retention policy defining the specific types of data collected, retention periods, and deletion timelines.
  • Implemented automated deletion processes.
  • Periodically reviews and updates the retention policy..
  • Limits data collection to what is necessary for specific business purposes.
  • Trains employees on data retention policies.
  • Regularly reviews and monitors data retention practices.
  • Uses encryption to protect retained data, reducing the risk of unauthorized access or disclosure.


17. Measures for Ensuring Accountability


Dripcel has implemented appropriate technical and organizational measures to meet accountability requirements.


For example, Dripcel:


  • Adopted and implemented data protection policies.
  • Employed a ‘data protection by design and default’ approach.
  • Executed written contracts with organizations processing personal data on Dripcel’s behalf.
  • Documented its processing activities.
  • Conducted data protection impact assessments.
  • Appointed a Group Data Protection Officer (DPO).


18. Measures for Allowing Data Portability and Ensuring Erasure


Dripcel has measures to allow the exercise of data subject rights.


For example, Dripcel:


  • Erases personal data from backup and live systems when necessary and clearly informs individuals about what happens to their data.
  • Informs recipients about data erasure if the personal data is disclosed to others unless it is impossible or involves disproportionate effort. If personal data is made public online, Dripcel takes reasonable steps to inform other controllers to erase links, copies, or replication of that data.
  • Informs the data subject which third parties have received the personal data upon request.
  • Provides personal data in a structured, commonly used, and machine-readable format when requested. If possible and requested by the individual, Dripcel can directly transmit the information to another organization.


19. Measures for Ensuring Data Minimization


Dripcel has implemented measures to minimize data processing.


For example, for each processing activity, Dripcel:


  • Ensures that the collection of personal data is adequate, relevant, and strictly limited to what is necessary for its intended purposes..
  • Assesses whether it can achieve the purposes of its processing activity with less privacy-invasive data or less intrusive means.
  • Documents the requirement for each data field in relation to the purpose.