- Go > Privacy Management > Record of processing activities.
- Click ‘Add new processing activity’.
- Create a name for the processing activity by filling out the ‘Name of processing activity’ field.
- Enter a description into the ‘Description’ field.
- Decide if this processing is linked to one or more steps of a main process or linked to multiple main processes. Click ‘Yes’ if you want to create the link.
- Link a main process by selecting one of the ‘Main process’ list or by clicking the ‘+’ sign and creating a new main process by entering a name in the ‘Main process name’ field. Click ‘Save’. Select the created process from the ‘Main process’ list. Click on ‘x’ to delete a linked main process.
- Link a process step to the processing activity by selecting the specific step(s) from the Process step list.
- Add a tag if you’d like
- Select the legal basis for your processing activity. Remember if you select “legitimate interest”, a balancing test will be automatically created. When selecting “legal obligation”, a reference will be made in the legal obligation management where you can link a legislation as well as specific articles.
- Describe the purpose of processing in the ‘Purpose description’ field.
- Select the applicable Office(s). If the processing activity is linked to a process this field will be filled out automatically.
- Select the applicable Department(s). If the processing activity is linked to a process this field will be filled out automatically.
- Select different one or more actors that are relevant to the processing activity.
- The Processing activity creator is the one creating the activity. This field is automatically filled in and not changeable. If someone performs a bulk import, the name of that person will be visible.
- Select the ‘Processing Activity Owner’. This can either be a selected User that is known within RESPONSUM or someone outside of RESPONSUM
- Select Other involved users from the user list or enter names/roles into the ‘other involved people’ field (expert questions).
- Create a review interval by entering a review interval number and selecting a review interval period (day/week/month/ day(s)/week(s)/month(s)).
- Select the role your organization takes in this processing activity: Controller or Processor.
- Select ‘yes’, if there are any joint-controllers used. Select the joint-controller from the ‘Add joint-controllers’ list.
- If the Start date of the processing activity is known, select ‘yes’ (expert question).
- Select the start date (expert question).
- If the end date of the processing activity is known, select ‘yes’ (expert question).
- Select the end date (expert question).
- Add a data subject by clicking on ‘Add Data Subject’, if the processing activity is linked to a process this field will be filled out automatically.
- Add details of the subject types, by clicking on “toggle data about details”. Select the country, estimated amount of individuals involved and the involvement time period.
- Add data by selecting Data Attributes and/or Data Objects from the list.
- In case special categories are being processed, select the legal ground for processing Special categories of personal data (If applicable).
- Specify the legal ground selected.
- Select a department from the Access granted list or by clicking the ‘+’ sign and creating a new departments (expert question).
- Enter a reason for access into the ‘reason’ field (expert question).
- How will the confidentiality be guaranteed? Select an item from the drop-down menu (expert question).
- Give more information of the data that is being processed (expert question)
- Add a IM system(s) by selecting one of the list or by clicking the ‘+’ sign and creating a new IM System.
- Add more details of the specific location in the ‘Specific location’ field.
We provide an integration with Filerskeepers. This allows you to get all possible retention periods for specific selected data types. Filerskeepers is a large record containing retention periods for personal data within different countries that are set by law or are best practice. If this is active in your tenant the following steps need to be made:
- Click “start the wizard”
- Select a country where the data is being stored
- Select the category and sub-category of your personal data
- Select the record type
- A list of obligations will be shown. For more details click on the downward facing arrow at the end of an obligation and select “view details”. Select the one applicable. The details will be filled out automatically.
When you fill out the form manually, the following steps should be taken:
- Enter the retention period in the ‘Retention Period’ field.
- Select the ‘Retention unit’(day/week/month/ day(s)/week(s)/month(s)).
- Enter a trigger when the retention period starts.
- Select the source of the retention period: defined by legislation or own defined?
- Legislation: select one or more legislations. If you don’t find it in your list, add a new one by clicking the + sign and filling out the questions. Then select a specific article if applicable.
- Enter a description of the retention period.
- Enter exceptions on the retention period in the ‘Exceptions’ field.
- Enter the action on the personal data after the retention period in the applicable field.
Security of Processing
- Click on the “+” sign to add Technical & Organizational Measures (TOM’s) for the specific processing activity.
- Select the applicable measure from the drop down list or create a new measure by providing a name.
- If a new measure is added, fill out the description and measure type.
- Select the implementation status from the drop-down menu.
- Select the Related IM system(s) (If applicable).
- Select a user to whom this measure is appointed.
- Add a deadline for when the measure should be in effect by selecting a date with the date picker.
- If there are External Data Processor(s) used, click ‘yes’.
- Select the External Data Processor(s) from the External Data Processor(s) list or by clicking the ‘+’ sign and creating a new External Data Processor.
- If data is transferred outside of the EEA, click ‘yes’.
- Select one or more countries to which the data is being transferred.
- Select the Data transfer mechanism, from the Data transfer mechanism list.
- Enter a description of the Data transfer mechanism into the ‘Data transfer mechanism’ field.
- Refer to online documentation by pasting the link in the reference field.
- Add assets to the Data transfer mechanism description, by selecting a file or by dropping it in the field.
- If External Data Recipients are present, click ‘yes’.
- Select the External Data Recipients from the External Data Recipients list or by clicking the ‘+’ sign and creating a new External Data Recipients
- If Internal Data Recipients are present, click ‘yes’.
- If the internal Data Recipient is an Office, select the Internal Data Recipients from the Internal Data Recipients (Offices) list or by clicking the ‘+’ sign and creating a new Office
- If the internal Data Recipient is a department, select the Internal Data Recipients from the Internal Data Recipients (Departments) list or by clicking the ‘+’ sign and creating a new department.
Data protection principle check
There are 7 key principles that lie at the heart of your approach to processing personal data. Check with the following questions if your company is compliant with these principles.
- LAWFULNESS, FAIRNESS & TRANSPARENCY
- Are you processing personal data in a lawful and fair way? Are you transparent in your communication about processing personal data in an easy-to-understand and clear and plain language? If so, select yes. Add a justification if necessary
- Link relevant policies/procedures provided to the data subjects for this processing activity. (expert question)
- Is there a legal basis defined? This question is filled in automatically if you already determined this in the tab “General details”. Add a justification if necessary. (expert question)
- PURPOSE LIMITATION
- Are you collecting personal data for a specific, explicit, and legitimate purpose that is limited to this processing activity? If so, select yes. Add a justification if necessary.
- SMART principle: select the applicable items and give a justification if necessary. (expert question)
- DATA MINIMISATION
- Is the collection of personal data adequate, relevant, and limited to what is necessary in relation to the purposes? Are you not able to fulfill the purpose by other means? If so, select yes. Add a justification if necessary.
- Is the collected data accurate and up-to-date? If so, select yes. Add a justification if necessary.
- Is the data regularly checked for updates? If so, select yes. Add a justification if necessary. (expert question)
- Is the data quality controlled and managed throughout the flow of the data between various processing systems (IM systems)? If so, select yes. Add a justification if necessary. (expert question)
- STORAGE LIMITATION
- Are time limits established for the erasure of data or for a periodic review in order to ensure that the personal data are not kept longer than necessary? If so, select yes. Add a justification if necessary.
- INTEGRITY & CONFIDENTIALITY
- Is the personal data being processed in a manner that ensures appropriate security and confidentiality of the personal data? If so, select yes. Add a justification if necessary.
- Add a custom fields by clicking on the “+” sign.
- Provide a custom field label by entering a name.
- Click “add”.
- Fill out the custom field and/or
- Enter more information about the processing activity into this field.