Creating Article 30-compliant processing

This article explains how to create a processing activity that is compliant with GDPR Article 30. It covers both data controllers and processors.

At any time, you can follow your progress by viewing your percentage of completion. When you have reached 100%, your processing activity is Article 30-compliant.

This article describes the minimum requirements to achieve Article 30 compliance. You are free to add additional items and to complete non-required fields. These additional items and fields may later contribute to achieving 100% completion in Extended mode.

For detailed information on the processing statuses, see Processing workflow.

The following table gives you a quick idea of the information required to build an Article 30-compliant processing activity, with the differences for data controllers and processors. Use it as a reminder once you are familiar with the processing creation process. However, the first time you create a processing activity, we strongly advise you to read through the full article.

ARTICLE 30 COMPLIANCE

Minimum requirements

SECTION

DATA CONTROLLER

PROCESSOR

Identification

1 department OR 1 person in charge + 1 data subject category

Purposes

1 purpose 1 legal basis

Data

1 data category + storage information

(deletion method + how long data is stored + starting when)

Data subject rights

None

Recipients

1 internal recipient OR 1 external recipient

None

Cross-border flow

No, OR Yes + 1 Non-EU recipient + Appropriate safeguard

Security measures

IF Site or Software => 1 security measure for each

IF Hardware => Type + 1 security measure for each

Impact assessment

Yes Yes OR Yes Not applicable

None

Status and documentation

None

Before you get started

There are a few key points you should know when completing a processing activity. Take a quick look now, it will save you time later!

  • When you open a processing activity in Article 30 mode, sections that are not required are grayed. If you nevertheless wish to complete some of these sections, hover the mouse over the section, click Activate for this processing, and complete the field. Completing grayed fields does not increase your completion percentage.

  • You can add additional items that are not required, but each item added must be complete. For example, in the Data section, one category of personal data must be selected, along with its storage information. If you select an additional data category, you must provide the storage information for that data category as well, even though you were not required to add another data category. Otherwise you will not get the full completion percentage for that section.

  • Adding additional items that are not required does not increase your completion percentage.

  • Departments and contacts must be added to their respective repositories before you can add them to a processing activity. Areas must also be added to their repository first in order to select them.

  • You can link third parties, software and sites to a processing activity during the completion process. However, we recommend that you add them to the relevant repositories before creating the processing activity, as it will save you some skipping back and forth between the sections!

  • There is no Save button. At each stage your work is saved automatically.

KEY POINTS:

  • Grayed fields are not required but can be activated.

  • Completing grayed fields or adding additional items does not increase your completion percentage. However, if all information related to these optional fields or items is not completed, your completion percentage will decrease.

  • To add departments or contacts, or to select areas, they must be added to their repositories first.

  • To link third partiessoftware or sites, we recommend adding them to their repositories first.

  • Your work is saved automatically.

How to create a processing activity

Ok, time to get started.

To create a processing activity:

  1. In the sidebar, click Processing.

2. The Processing page is displayed. It lists all the processing activities of the entity.

3. The Article 30/Extended toggle button must be gray. If it is green, click the button to toggle to Article 30.

4. To create a processing activity there are two options:

  • Create a processing activity from scratch: Click the Add processing button.

  • Activate one of the industry-specific standard processing activities included in your GDPR software: Locate the processing activity, and in the Status column, click the Activate button.

5. The window that opens depends on your choice in the previous step. Both windows are very similar.

  • If you clicked the Add processing button, the Add new processing window opens.

  • If you activated a standard processing activity, the Activate processing window opens (shown below).

6. Do one of the following:

  • If you are adding a new processing activity, in the Type and name field, select DC (Data Controller) or DP (Data Processor) and give the processing activity a name. Then, in the Area dropdown menu, select an area. The name and area can be changed later, but not the type.

Areas are used to organize processing activities. They must have been added to the Areas repository beforehand.

  • If you are activating a standard processing activity, the Type and name and Area fields are already populated.

 

7. As the current user, you are selected by default as both the Drafter and the Validator.

The drafter and validator can be the same person or two different people. In addition, there can be several drafters and/or several validators.

  • To add other drafters and/or validators, click the respective fields and select a name from the dropdown list.

  • To delete, click the “x” next to their name.

  • You can change them later if required.

For detailed information on the tasks of drafters and validators, see Processing workflow.

 

8. To create/activate the processing activity you have two options:

  • Click the Create and stay on page / Activate and stay on page button. This creates/activates the processing activity and keeps you on the Processing page, allowing you to work on other processing activities.

  • Click the Create and start editing / Activate and start editing button. This creates/activates the processing activity and opens it, allowing you to start completing it (shown below).

 

You have created a processing activity. Your current completion percentage should be:

  • 14% for Data controllers

  • 20% for Processors

(Data controllers and processors do not have the same completion requirements, so the percentages will differ.)

 

The processing activity now needs to be completed. Please continue to the next section.

How to complete an Article 30-compliant processing activity

This section describes each of the sections to be completed in order to create an Article 30-compliant processing activity. Seven sections are required for data controllers and five for processors.

Identification

  1. In the sidebar, click Processinglocate the processing activity and click its name to open it.

  2. The processing menu listing each section of the processing activity displays to the left. By default, you are in the Identification section. Check that the Article 30/Extended toggle button is gray (Article 30 selected).

The Identification page displays to the right. The Managers tab is open.

3. Click the Add a department or a person in charge button. This is where you will select the department or person to contact in your organization that is qualified to answer questions concerning the processing activity.

The departments and contacts must have been added to the department or contact repositories beforehand.

Do one of the following:

  • To choose a department without designating a specific contact, in the Departments tab, select a department.

  • To choose a specific person, click the Contacts tab and select the contact. The Department in charge column will be automatically populated with the contact’s department.

1 department OR one contact is sufficient to be Article-30 compliant. Of course you can add several.

 

4. Do one of the following:

  • Select one category of data subject.

  • Enter the name of a personalized category in the Other field and click the Add button.

A single category is sufficient.

Your completion percentage should be:

  • 29% for Data controllers (15% for this section only)

  • 40% for Processors (20% for this section only)

The three other tabs on the Identification page – SoftwareThird parties and Sites – provide a central location for linking items to this processing activity that will be needed later in the processing creation process:

  • Third parties tab: add external data recipients for the processing activity in question. They will be needed in the Recipients section. Also, add non-EU data recipients for the processing activity in question. They will be needed in the Cross-border flow section.

  • Software tab: add software that collects data for the processing activity in question. It will be needed in the Security measures section.

  • Sites tab: add sites where the data for the processing activity in question is processed. They will be needed in the Security measures section.

You can wait and add these items once you are working on the specific sections, but it requires less jumping back and forth if you add them in this section.

 

If you add software or sites to the Identification section, your completion percentages may differ from the percentages indicated in this article at the end of each section. However, the final completion percentage of 100% should be the same.

Purposes

  1. In the Processing menu, click Purposes.

 

2. The Purposes page opens. Do one of the following:

  • Enter a text description of the purposes in the text box.

  • Click the Add value button and either select one of the proposed purposes or enter your own in the text field. If you are creating a new processing activity from scratch, no purposes are proposed and you must enter your own text.

You do not need to both provide a text description AND use the Add value button. One is sufficient.

 

3. Select at least one item beneath What is the legal basis for this processing.

When you select a legal basis, a text field allows you to enter additional information. This field is not required.

Your completion percentage should be:

  • 43% for Data controllers (14% for this section only)

  • 60% for Processors (20% for this section only)

Data

  1. In the Processing menu, click Data.

2. The Data page opens. Select a data category, or use the Other field to enter a personalized data category and click the Add button.

3. A window opens, allowing you to enter data storage information for that category.

  • Select manual or automatic erasure.

  • Enter a Duration. Modify the time unit if required (the default is Month(s)).

  • Select the Starting point. This is the moment when the “duration clock starts ticking”. If you select Other, you must describe the starting point in the text field provided.

If you have selected several data categories, you must provide the data storage information for each one.

Your completion percentage should be:

  • 57% for Data controllers (14% for this section only)

  • 80% for Processors (20% for this section only)

Data subject rights

The Data subject rights section is optional for Article 30-compliance. It does not increase your completion percentage. To find out more about this section, see Completing processing in Extended mode.

Recipients

For Article-30 compliance, the Recipients section is:

  • Required for Data Controllers

  • Optional for Processors (it is required in Extended mode).

This section allows you to select a data recipient that belongs to your organization, or is outside it.

  1. In the Processing menu, click Recipients.

The terms “Recipient” and “Third party” are interchangeable.

 

2. Do one of the following:

  • To select an Internal recipient, click Add internal recipient and select a Department or a Contact.

  • To select an external recipient, click the External tab and select a recipient using the Assign third party dropdown menu, or click the Add a third party button to create a new external recipient.

If you select an external recipient, to get the full completion percentage, the only information required is its name.

Recap: to be Article 30-compliant, choose one internal recipient OR one external recipient. You can of course choose both or several of each, but this will not change your completion percentage.

Your completion percentage should be:

  • 71% for Data controllers (14% for this section only)

  • Optional for Processors (no percentage points)

Cross-border flow

  1. In the Processing menu, click Cross-border flow.

2. The Cross-border flow page opens. Do one of the following:

  • If no personal data will be transferred outside the European Union, select No.

  • If personal data will be transferred outside the European Union, select Yes. Then click the Add recipient dropdown menu to select the non-EU data recipient(s). You can add several recipients, but only one is required.

If the third party you are looking for does not appear in the Select third parties menu, you must add it to the list of third parties (Identification → Third parties → Assign third party or Add a third party) or to the list of external recipients (Recipients → External → Assign third party or Add a third party).

If the third party appears in the list but is grayed, either the country field was not completed, or the country selected is an EU member.

 

Once you have added the recipient, select an Appropriate safeguard from the dropdown menu.

If you select Do not know, you will not get any of the completion percentage points.

Your completion percentage should be:

  • 86% for Data controllers (15% for this section only)

  • 100% for Processors (20% for this section only)

Security measures

Completing this section is simpler if the sites or software you will be linking to this processing activity have already been added to their respective repositories. You can create them via this page, but it requires a bit more skipping back and forth between the sections!

You are not required to complete this section if the processing activity you are working on has no sites, software or hardware linked to it.

  1. In the Processing menu, click Security measures.

2. The Security measures page opens. This page is designed to ensure:

  • that any sites, software or hardware linked to the processing activity has at least 1 security measure

  • that any hardware linked to the processing activity has a Type.

If you did not link any sites or software to the processing activity via the Identification section, you can do it here, though linking software or sites is not required to be Article 30-compliant.

Now let’s see how it’s done!

 

Sites

The Building access control measures tab allows you to link sites to the processing activity and add security measures.

  • If you wish to link a site to the processing activity, click the Assign a site button, which redirects you to the Identification section. From there, use the Assign a site dropdown menu to select an existing site or create a new one (Add a site button).

  • If one or more sites are already linked to the processing activity (via the Identification section), they are listed here.


  • Whether the site was already linked to the processing activity or whether you do it now in this section, each linked site must have at least one internal OR one external security measure. To add a security measure to the site, click the Update measures link. Then click the Security measures tab. Click an Add value button to add an internal or external security measure to the site. (Click the Back arrow of your browser to return to the page.)

Software

The IT security measure tab allows you to link software to the processing activity and add security measures.

  • If you wish to link software to the processing activity, click the Assign software button, which redirects you to the Identification section. From there, use the Assign software dropdown menu to select existing software or create a new one (Add a software button).

  • If one or more software items are already linked to the processing activity (via the Identification section), they are listed here.

  • Whether the software was already linked or whether you do it in this section, each software item must have at least one security measure. To add a security measure to the software, click the Update measures link. The Security tab opens. Click an Add value button to add a security measure to the software. (Click the Back arrow of your browser to return to the page.)

Hardware

Hardware can only be added via this section (it cannot be added via the Identification section). If you wish to add hardware:

  1. Click the IT security measure tab and then click Add hardware.

2. In the Type field, enter a description of the hardware.


3. In the Security measure section, click a box to select a security measure.

To add another hardware item, click the Add hardware button again.

If you click Add hardware, you must complete the fields as described above. Otherwise use the Delete this hardware button to delete it. Any hardware left empty will reduce your completion percentage!

Your completion percentage should be:

  • 86% for Data controllers

  • 100% for Processors!

No points are given for this section because having a site, software or hardware is not required. However, if you have one and it does not have a security measure, 5% will be removed from the total.

Impact assessment

For Article-30 compliance, the Impact assessment section is:

  • Required for Data Controllers

  • Optional for Processors (it is required in Extended mode).

  1. In the Processing menu, click Impact assessment.

2. The Impact assessment page opens. You will receive the full completion percentage for this section if you answer:

  • Yes to the first question

  • Yes or Not applicable to the next question.

Any other combination of answers will not give you the full completion percentage.

To find out more about impact assessments, see PIA workflow.

Your completion percentage should be:

  • 100% for Data controllers! (14% for this section only)

  • Optional for Processors (no percentage points)

Status and documentation

The Status and documentation section is not required for Article 30-compliance. Adding items does not increase your percentage points. It is described here for information only.

  1. In the Processing menu, click Status and documentation.

2. The Status and documentation page opens. It allows you to:

  • View the status of the processing activity

  • Add documents (for more information, see Working with documents).

  • View actions assigned to the processing activity

  • Add comments