Completing processing in Extended mode

Extended mode allows your organization to carry out full mapping of its processing activities.

The term Extended refers to a mode for completing processing activities that are not only GDPR Article 30-compliant, but contain additional information above and beyond those requirements. Working in Extended mode can be a helpful way to record information on a processing activity that, while not required by Article 30, may be important to your organization. Extended mode can also serve as preparation in the event of future extensions to Article 30.

It is possible that you will not be able to achieve 100% completion in Extended mode because some of the information required may not apply to your organization. This must not be viewed as a problem, since to be GDPR-compliant you only need to fulfill the conditions set forth in Article 30. Extended mode simply serves as a guideline for producing a more complete processing record.

This article assumes that the processing activities you will be working on in Extended mode are already Article 30-compliant. It only covers the additional requirements beyond Article 30 that are specific to Extended mode.

To find our more about Article 30 compliance and to view the full process for creating and completing processing activities, see Creating Article 30-compliant processing.

 

Table of contents

Quick reference

The following two tables give you a quick idea of the minimum information required to achieve a completion percentage of 100% in Extended mode. One table is for Data Controllers, the other is for Processors. Please read the rest of this article for a fuller description of each section.

DATA CONTROLLER

Minimum requirements

SECTION

ARTICLE 30

EXTENDED MODE

Identification

1 department OR 1 person in charge + 1 data subject category

Implementation date + Internal reference

1 Software AND 1 Site (with 1 security measure each)

Purposes

1 purpose 1 legal basis

Additional info if legal basis is “legitimate interests” or “legal obligation”

Data

1 data category + storage information (deletion method + how long data is stored + starting when)

IF data will be archived = Yes =>how long + starting when

Typology for each data category (Data types + Data origins + Types of collection + Storage location)

Nature > Interconnections, use of technology and impact: all questions except “Does the processing require use of a new innovative technology?”

Data subject rights

None

1 item in each tab (3 total)

Recipients

1 internal recipient OR 1 external recipient

IF external recipients =>Qualification

Cross-border flow

No, OR Yes + 1 Non-EU recipient + Appropriate safeguard

None

Security measures

IF Site or Software => 1 security measure for each

IF Hardware => Type + 1 security measure for each

1 Hardware (with Type + Brand + Reference + 1 security measure)

Impact assessment

Yes Yes OR Yes Not applicable

None

Status and documentation

None

None

 

PROCESSOR

Minimum requirements

SECTION

ARTICLE 30

EXTENDED MODE

Identification

1 department OR 1 person in charge + 1 data category

Implementation date + Internal reference

1 Software AND 1 Site (with 1 security measure each)

Purposes

1 purpose 1 legal basis

Additional info if legal basis is “legitimate interests” or “legal obligation”

Data

1 data category + storage information (deletion method + how long data is stored + starting when)

IF data will be archived = Yes =>how long + starting when

Typology for each data category (Data types + Data origins + Types of collection + Storage location)

Nature > Interconnections, use of technology and impact: all questions except “Does the processing require use of a new innovative technology?”

Data subject rights

None

1 item in each tab (3 total)

Recipients

None

1 internal recipient OR 1 external recipient with Qualification

Cross-border flow

No, OR Yes + 1 Non-EU recipient + Appropriate safeguard

None

Security measures

IF Site or Software => 1 security measure for each

IF Hardware => Type + 1 security measure for each

1 Hardware (with Type + Brand + Reference + 1 security measure)

Impact assessment

None

Yes Yes OR Yes Not applicable

Status and documentation

None

None

Switching to Extended mode

  1. In the sidebar, click Processing.

  2. Toggle the Article 30/Extended button to Extended. It should turn green.

3. When you switch to Extended mode, two things happens:

  • The zones of a processing activity that were grayed in Article 30 mode are now activated.

  • The rate of completion changes. More specifically, processing activities that had a completion percentage of 100% in Article 30 mode will have a lower completion percentage in Extended mode.

Article 30-compliant processing activities - 100% completion

Same processing activities in Extended mode - Less than 100% completion

The new percentage will vary depending on which items were completed.

The rest of this article will show you how to once again achieve 100% completion, this time in Extended mode!

Requirements per section

This section describes the minimum information that must be added in addition to the information already contained in an article 30-compliant processing activity in order to achieve a completion percentage of 100% in Extended mode. Naturally, you can enter additional information above and beyond the information described here.

Identification

  1. In the Identification section, under the Managers tab, enter an Implementation date (date when processing begins) and an Internal reference (you can use the reference system of your choice).

2. Click the Software tab. Check that at least 1 software item is listed.

3. If no software is listed, assign or add 1 software item. Each software must have at least one security measure.

4. Click the Sites tab. Check that at least 1 site is listed.

5. If no site is listed, assign or add 1 site. Each site must have at least one security measure.

For information on how to assign or add software or sites, or how to add security measures, see Software repositorySites repository, and Security Measures in Creating Article 30-compliant processing.

Purposes

In the Purposes section, if the legal basis is:

  • “Processing is necessary for compliance with a legal obligation”

OR

  • “Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”

then you must enter additional information in the text field below the item. The other text fields can remain empty.

Data

  1. In the Data section, in the Categories tab, for each data category selected, if you selected the Yes checkbox beneath the archiving question, you must do the following:

  • Enter a Duration. Modify the time unit if required (the default is Month(s)).

  • Select a Starting point. This is the moment when the “duration clock starts ticking”. If you select Other, you must describe the starting point in the text field provided.

2. Click the Typology tab and click the Add line button.

  • In the Data category column, the dropdown menu contains all the data categories selected in the Categories tab. Select one.

  • In the Data types column, click the Add value button and select at least one type of data.

  • In the Data origins column, click the Add value button and select at least one data origin.

  • In the Types of collection column, select at least one option.

  • In the Storage location column, describe where the data is stored (cloud, hard drive, etc.).

3. If more than one data category is selected, they appear in the dropdown menu. Click the Add line button and repeat step 2 for each data category.

4. Click the Nature tab, scroll down to the Interconnections, use of technology and impact section, and answer the following questions:

  • Approximate number of data subjects: the approximate number of persons whose data will be processed by this processing activity.

  • Is the data interconnected with other filing systems?: if you answer Yes…, you must also answer the two related questions that are displayed.

  • Does the processing have an impact on employees or agents?: If you answer Yes, you must indicate the date the employee representative bodies were consulted, and add the 2 documents requested concerning this consultation.

Data subject rights

  1. In the Data subject rights section, in the Exercisable rights tab, select at least one right that data subjects can exercise.

You are not required to enter additional information in the text box or to add documents for any of the items in the Data subject rights section.

 

2. Click the Measures taken tab and select at least one measure taken to inform data subjects of their rights.

3. Click the Contact channels tab and select at least one channel through which data subjects can exercise their rights.

Make sure you have selected at least one item in each tab!

Recipients

The steps required to achieve 100% in Extended mode differ depending on whether the processing activity is performed by a Processor or a Data Controller. Please refer to the relevant section below.

Note: 100% completion in Extended mode is the same for all processing activities, whether performed by processors or data controllers. However, since Article 30 requirements are more stringent for data controllers, processors have a little more “catching up” to do than data controllers to achieve 100% in Extended mode.

 

Processors

Processors must select a data recipient that is either inside their organization or outside it.

  1. In the Recipients section, do one of the following:

  • To select an Internal recipient, click Add internal recipient and select a Department or a Contact.

OR

  • To select an external recipient, click the External tab and select a recipient using the Assign third party dropdown menu, or click the Add a third party button to create a new external recipient.

2. If you selected one or more external recipients, use the dropdown menu in the Qualification column to select a qualification for each one.

Recap: choose one internal recipient OR one external recipient + a qualification. You can of course choose both or several of each, but this will not change your completion percentage.

 

Data controllers

For data controllers, if the processing activity is already Article 30-compliant, additional information is only required if external recipients are linked to the processing activity. Otherwise you can skip to the next section.

  1. In the Recipients section, click the External tab.

  2. If external recipients are listed in this tab, use the dropdown menu in the Qualification column to select a qualification for each one.

Cross-border flow

No additional information is required in this section.

Security measures

  1. In the Security measures section, click the IT security measure tab.

  2. Do one of the following:

  • If hardware is listed in this tab, identify the hardware by entering a Brand and a Reference for each hardware item (if the processing activity is Article 30-compliant, it should already have a Type and at least 1 Security measure).

  • If no hardware is listed, add at least one hardware item and enter a TypeBrandReference, and at least 1 Security measure.

To find out more about adding hardware, see Security Measures in Creating Article 30-compliant processing.

Impact assessment

This section only concerns processing activities performed by Processors. No additional information is required for processing activities performed by Data Controllers.

 

In the Processing menu, open the Impact assessment section.

You will receive the full completion percentage for this section if you answer:

  • Yes to the first question

  • Yes or Not applicable to the next question.

Any other combination of answers will not give you the full completion percentage.

Status and documentation

No additional information is required in this section.

 

If you have completed all the fields required in Extended mode, your completion percentage should be 100%!