.png?height=120&name=logo-dld-blanc-transparent-baseless(1).png){kind=logo}
How to Draft a Processing in Compliance with Article 30 of the GDPR, Following the Step-by-Step Processing Stages
This article is intended for processing record authors.
To ensure your processing record complies with Article 30 of the GDPR, you must answer the following questions in the processing sheet:
- What data are you collecting ?
- To whom does it apply ?
- Why ?
- Who has access to it ?
- What security measures are in place to protect it ?
These questions are represented by different stages in the processing sheet.
Preamble - Creating the Processing Record
- Click on the Processing menu in the left column, then select Add Processing at the top right
A window opens. This is the processing creation window.
- Enter the processing name, your qualification : controller or processor, the related area, and the drafters/validators.
- Select the Standard mode to draft a processing compliant with Article 30. By selecting the Extended mode, you can add additional information to your processing.
- Click Validate.
The Extended mode allows you to add processing steps that may be necessary in certain cases, such as data subject request, impact assessments, etc.
You are automatically redirected to the processing. It will also be accessible from the Processings and Record menus.
In the left-hand panel, you will find all the processing steps.
By clicking on this small pencil icon, you will open the processing modification page, where you can switch from Controller (RT) to Processor (ST) or from Standard mode to Extended mode.
You can also edit the processing name, its area, and its drafters/validators.
THE PROCESSING STEPS
- Identification
- Purposes
- Data
- Data Subject Rights
- Recipients
- Cross-Border Flows
- Security Measures
- Impact Assessments
- Remarks
Identification
At this stage, you can modify the area to which the processing is linked using the dropdown menu.
Most importantly, you must define the Persons in in charge.
- Click on Add a contact or a department
A window opens on the right, showing the Departments and Contacts repositories.
- Check the boxes corresponding to the services and contacts responsible for this processing.
- Click Validate.
Once you have added at least one service or contact, the completion help bubble reaches 100%.
Each step has a completion help bubble. The goal is to reach 100% at each step. Hovering over it with the mouse will indicate the missing fields needed to reach 100% !
If you switch to Extended Mode, you can add additional information, and a second completion help bubble will appear. This bubble corresponds to the completion rate of the current step in Extended Mode.
Purposes
At this stage, you need to specify the reasons for collecting data.
- Click on Add a purpose.
- Enter at least one purpose in the newly opened field.
- Click Validate.
The completion help bubbles for this step update automatically.
The completion help bubbles on the left side of the screen also update. These bubbles indicate the overall completion rate of the entire processing.
Clicking on the bubble will open a detailed completion window on the right, showing the status of each step.
Data
At this stage, you must specify:
- The data collected for this processing.
- The data subjects concerned.
- The data retention period.
Data Subject categories
- Click on Add a data subject category.
A window opens on the right, showing the Data Subject Categories menu.
- Check the boxes corresponding to the categories of people affected by this data collection.
- Click Validate.
Data categories
Next, click on Add data categories.
A window opens on the right, showing the Data Categories repository.
- Check the boxes corresponding to the data collected for this processing.
- Click Validate.
If you are working in Extended Mode, you can specify different data types within each data category.
Click on a data category or the small arrow to expand it. Then, click Add and check the boxes for the data types you collect.
Life cycle of data categories
The retention period can be identical or specific for each data category.
It can be qualifying or measurable.
- Select Same for all categories of data or Specific to each data category.
- Select Qualifying or Measurable.
- If you selected Measurable enter a duration and optionally add a comment.
- Use the dropdown menu to define whether the retention period is in days, weeks, months, or years.
- If you selected Qualifying, enter a comment.
If the retention period is specific to each data category, repeat this process for each category.
Data subject rights
This step is available only in Extended Mode.
Exercisable rights
- Click on Exercisable rights.
- Check the boxes corresponding to the rights requests that may apply to this processing.
Measures Taken
- Click on Measures taken.
- Check the boxes corresponding to the measures taken to inform data subjects of their rights.
Contact channels
- Click on Contact channels.
- Check the boxes corresponding to the ways data subjects can exercise their rights.
Recipients
At this stage, you must specify who has access to the collected data.
There are Internal recipients (within your organization) and External recipients (third parties).
- Click on Internal.
- Click on Add.
A window opens on the right, showing the Departments and Contacts repositories.
- Check the boxes corresponding to the departments and contacts with access to the collected data.
- Click on Validate.
- If third parties have access to the collected data, click on External, then Add.
A window opens on the right, showing the Third Parties repository.
- Check the boxes corresponding to the third parties who have access to this processing data.
- Click Validate.
- Use the dropdown menu to specify the qualification of the third party.
Cross-Border Flows
At this stage, you must define whether data is transferred outside the EU.
- Check Yes, No, or Do not know.
If you selected "Yes":
- Click Add recipient.
- Select the third parties outside the EU that process the collected data.
- Use the dropdown menu to select the legal safeguard protecting the transferred data.
If the appropriate safeguard is not listed, type a new one in the field and click Add.
Security Measures
At this stage, you must specify the security measures in place to protect the collected data.
Add a General Security Measure
-
Click Add a general measure.
A window opens on the right, showing the Security Measures menu.
- Check the boxes corresponding to the implemented security measures.
- Click Validate.
Add a Security Measure via a Site, Hardware, or Software
- Click Add a site, Software, or Hardware.
A window opens on the right, showing the Site, Hardware, and Software repositories.
- Check the boxes corresponding to the sites, hardware, and software used to process the collected data.
- Click Validate.
If your repositories are properly configured, security measures are automatically linked to sites, software, and hardware !
Impact Assessments
This step is available only in Extended Mode.
- Indicate whether the impact assessment Has been completed, needs to be done, is in progress or is not applicable.
At this step, you can add an impact assessment from within the processing.
- Click Add next to PIA associated with the processing.
A window opens on the right. This is the Impact Assessment creation window.
- Name your impact assessment.
- Specify the drafters, evaluators, and validators.
- Click Validate.
You will be automatically redirected to the newly created impact assessment, which is now linked to the processing.
Remarks
At this stage, you can enter any relevant information related to this processing.
The Remarks field will appear in the PDF or Excel export of the processing record.