Menü aufrufen
Toggle preferences menu
Persönliches Menü aufrufen
Nicht angemeldet
Ihre IP-Adresse wird öffentlich sichtbar sein, wenn Sie Änderungen vornehmen.

Verarbeitungstätigkeit/en: Unterschied zwischen den Versionen

Aus HITGuard User Guide
Isan (Diskussion | Beiträge)
Die Seite wurde neu angelegt: „<b>Editing completed</b> * When a processing activity is moved into the state "Editing completed" by selecting "Commplete editing", it is turned read-only and…“
Isan (Diskussion | Beiträge)
Keine Bearbeitungszusammenfassung
Markierungen: mobile web edit mobile edit
 
(93 dazwischenliegende Versionen von 3 Benutzern werden nicht angezeigt)
Zeile 5: Zeile 5:
:This means a processing activity is any process or procedure in which any form of personal data is processed, whether it is simply saved or used for evaluation.
:This means a processing activity is any process or procedure in which any form of personal data is processed, whether it is simply saved or used for evaluation.


<span id="Details_der_Verarbeitungstätigkeit"></span>
== <span id="Details der Verarbeitungstätigkeit"></span>Processing activity details ==
== <span id="Details der Verarbeitungstätigkeit"></span>Processing activity details ==


Zeile 16: Zeile 17:


<u>PA-responsibility:</u>
<u>PA-responsibility:</u>
* Here, designate one or more persons responsible. For this, enter the organizational units or external persons responsible for the processing activity. In the mapping dialog, only those contacts created in "Data protection → Externals" are displayed, which have also been marked as PA-responsible. This label needs to be set directly in the External creation mask ("Data protection → Externals"). If the respective external has not yet been created, this can be done directly here.
* Here, designate one or more persons responsible, who decide over the means and purpose of the processing of the personal data. For this, enter the organizational units or external persons responsible for the processing activity. In the mapping dialog, only those contacts created in "Data protection → Externals" are displayed, which have also been marked as PA-responsible. This label needs to be set directly in the External creation mask ("Data protection → Externals"). If the respective external has not yet been created, this can be done directly here.


<u>Code and Name:</u>
<u>Code and Name:</u>
Zeile 25: Zeile 26:


<u>Person responsible:</u>
<u>Person responsible:</u>
* This is the person or team that decides the purposes and means of the processing of personal data.
* The person or team responsible for the PA within the company.


<u>Advisor:</u>
<u>Advisor:</u>
Zeile 31: Zeile 32:


<u>Joint responsibility:</u>
<u>Joint responsibility:</u>
* If two or more persons responsible together decide the purposes and means of a processing activity, they share joint responsibility. In a transparent agreement, they stipulate which of them fulfills which one of the obligations according to the ordinance, especially regarding the rights of the data subjects, and who complies with information obligation as per the articles 13 and 14.
* If two or more responsibles together decide the purposes and means of a processing activity, they share joint responsibility. In a transparent agreement, they stipulate which of them fulfills which one of the obligations according to the ordinance, especially regarding the rights of the data subjects, and who complies with information obligation in accordance with Articles 13 and 14.
* There should also be a short description of who fulfills which obligations according to the ordinance.
* There should also be a short description of who fulfills which obligations according to the ordinance.
* Agreements and any other relevant documents created for this purpose can be uploaded here.
* Agreements and any other relevant documents created for this purpose can be uploaded here.
Zeile 45: Zeile 46:


<u>Change log:</u>
<u>Change log:</u>
* Here, the time and author of changes made to the processing activity, the time of a status change and the time of its completion are recorded.
* Here, the time and author of changes made to the processing activity, the time of a status change, and the time of its completion are recorded.
:[[Datei:Verarbeitungstätigkeit Änderungsprotokoll.PNG|left]]
:[[Datei:Verarbeitungstätigkeit Änderungsprotokoll.PNG|left]]
<br clear=all>
<br clear=all>


<span id="Status_und_Löschung_einer_Verarbeitungstätigkeit"></span>
== <span id="Stati"></span>Status and deletion of a processing activity==
== <span id="Stati"></span>Status and deletion of a processing activity==


A processing activity can be in various states. If e-mail notifications are activated in the management system, all relevant people in the workflow are prompted to perform their respective tasks when the state is changed. In this case it would be the advisor, if an expert of professional requests the editing of a processing activity.
A processing activity can be in various states. If e-mail notifications are activated in the management system, all relevant people in the workflow are prompted to perform their respective tasks when the state is changed. In this case, it would be the advisor, if an expert of professional requests the editing of a processing activity.


<b>Draft</b>
<b>Draft</b>
Zeile 76: Zeile 78:
<b>Editing completed</b>
<b>Editing completed</b>
* When a processing activity is moved into the state "Editing completed" by selecting "Commplete editing", it is turned read-only and can no longer be edited.
* When a processing activity is moved into the state "Editing completed" by selecting "Commplete editing", it is turned read-only and can no longer be edited.
* When the processing activity moves into this state, a [[Special:MyLanguage/Prozesse | process]] is created automatically for this processing activity. Processes are accessible to experts in "Administration → Processes".
* When the processing activity moves into this state, a <b>[[Special:MyLanguage/Prozesse | process]]</b> is created automatically for this processing activity. Processes are accessible to experts in "Administration → Processes".
* When completing a processing activity, it is possible to link it to a DPIA if at least one prior version of the PA is linked to that DPIA. There is also a suggestion to review and possibly update that DPIA.


<b>Löschen und außer Kraft setzen einer Verarbeitungstätigkeit </b>
<b>Deleting and annulling a processing activity</b>
* Durch "Verarbeitungstätigkeit löschen" können Sie Verarbeitungstätigkeiten, die noch nicht abgeschlossen sind, löschen.
* By selecting "Delete processing activity", a processing activity can be deleted so long as it has not been completed.
* <b>Achtung:</b> Abgeschlossene Verarbeitungstätigkeiten können, aufgrund der Historisierung, nicht mehr gelöscht werden! Sie können lediglich in der Übersicht unter "Datenschutz Verarbeitungsregister Verarbeitungstätigkeiten" durch den Button "Verarbeitungstätigkeit außer Kraft setzen" außer Kraft gesetzt werden.
* <b>Caution:</b> Because of their historicization, completed processing activities can no longer be deleted! They can merely be annulled by selecting the Button "Annul processing activity" in the overview found in "Data protection Processing registers Processing activities".
* Außer Kraft gesetzte Verarbeitungstätigkeiten können nicht mehr aktiviert werden!
* Annulled processing activities can no longer be activated!


:[[Datei:Verarbeitungstätigkeit außer Kraft setzen.png|left]]
:[[Datei:Verarbeitungstätigkeit außer Kraft setzen.png|left]]
<br clear=all>
<br clear=all>


== <span id="Betroffene hinzufügen"></span>Betroffene hinzufügen ==
<span id="Betroffene_hinzufügen"></span>
== <span id="Betroffene hinzufügen"></span>Add data subjects ==


In diesem Punkt fügt ein Experte, ein verantwortlicher Professional, oder der Sachbearbeiter Betroffenenkategorien zur Verarbeitungstätigkeit hinzu.
In this tab, an expert, a responsible professional or an advisor can add data subjects ot the processing activity.


Betroffenenkategorien können von Experten unter "Datenschutz Betroffenenkategorien" erstellt und verwaltet werden. Mehr dazu finden Sie [[Betroffenenkategorien|hier]].
Data subject categories can be created and administrated by experts in "Data protection Data subject categories". Find more [[Special:MyLanguage/Betroffenenkategorien|here]].


 
Clicking on "Assign existing data subject categories" opens a dialog in which you can choose which data subject categories are to be assigned to the processing activity. Here, choose all data subject categories whose personal data are processed in the processing activity.
Klicken Sie auf "Betroffene zuweisen", öffnet sich ein Dialog, bei dem Sie auswählen, welche Betroffenenkategorien zur Verarbeitungstätigkeit hinzugefügt werden sollen. Hier wählen Sie alle Betroffenenkategorien, von denen die Verarbeitungstätigkeit personenbezogene Daten verarbeitet.


[[Datei:Verarbeitungstätigkeit erstellen S2 Betroffene.PNG|left|thumb|900px]]
[[Datei:Verarbeitungstätigkeit erstellen S2 Betroffene.PNG|left|thumb|900px]]
<br clear=all>
<br clear=all>


<b>Wichtig:</b>
<b>Important:</b>


Es muss muss zu jeder Betroffenenkategorie die Rechtsgrundlagen nach Art. 6 DSGVO Rechtmäßigkeit der Verarbeitung angegeben werden. Für dies bietet die Spalte "Rechtmäßigkeit der Verarbeitung" folgende Gründe für die Verarbeitung personenbezogener Daten laut Art. 6 DSGVO an:
For every data subject category the legal basis of the processing has to be stated in accordance with Article 6 GDPR Lawfulness of processing. For this, the column "Legitimacy of the processing" offers the following reasons to choose from:
*Einwilligung zur Verarbeitung durch betroffene Person
* Consent to processing by data subject
*lebenswichtige Interessen
* Vital interests
*rechtliche Verpflichtung
* Legal obligation
*Vertragserfüllung bzw. vorvertragliche Maßnahmen
* Performance of the contract or pre-contractual measures
*im öffentlichen Interesse oder in Ausübung öffentlicher Gewalt
* In the public interest or in the exercise of official authority
*berechtigte Interessen des Verantwortlichen oder eines Dritten
* Legitimate interests of the responsible person or a third party
*sonstige Gründe (<b>DSGVO: rechtlich nicht zulässig</b>)
* Other reasons (<b>GDPR: legally not justified</b>)
:: Dieses Option dient hauptsächlich als Platzhalter, für den Fall, dass die Rechtsgrundlage noch nicht ganz klar ist! Sie ist keinenfalls eine gültige Rechtsgrundlage laut Art. 6 der DSGVO. Sie sollte also in der fertigen VT <b>nicht</b> vorkommen, sondern durch eine gültige Rechtsgrundlage ersetzt werden!
:: This option mainly serves as a placeholder in case the legitimacy is unclear at the time of creating the processing activity! It is by no means avalid legal basis in accordance with Art. 6 GDPR. Therefore, it should <b>not</b> appear in the finished PA but be replaced with a valid legal basis!


Es können auch mehrere Rechtmäßigkeiten für die Verarbeitung angegeben werden.
It is possible to select multiple legal bases for the processing.


== <span id="Datenkategorien hinzufügen"></span>Datenkategorien hinzufügen ==
<span id="Datenkategorien_hinzufügen"></span>
== <span id="Datenkategorien hinzufügen"></span>Add data categories ==


In diesem Punkt fügt ein Experte, ein verantwortlicher Professional, oder der Sachbearbeiter die personenbezogenen Datenkategorien zu den einzelnen Betroffenenkategorien hinzu. Es stehen nur die Datenkategorien zu Auswahl, welche mit personenbezogen gekennzeichnet sind.
In this tab, an expert, a responsible professional, or an advisor adds the personal data categories to the respective data subject categories. Only those data categories are available that have been marked as "personal".


Datenkategorien können von Experten unter "Administration → Datenkategorien" erstellt und verwaltet werden. Mehr dazu finden Sie [[Datenkategorien|hier]].
Data categories can be created and administrated by experts in "Administration → Data categories". Find more [[Special:MyLanguage/Datenkategorien|here]].


Zur Tabelle:
About the table:
* Diese Tabelle enthält Eingabefelder, die ausgefüllt werden können.
* This table contains input fields that can be filled in.
* Die Datenkategorien werden hierarchisch angezeigt. Geben Sie in eine übergeordnete Datenkategorie bei einem leeren Feld etwas ein, so wird dies auf alle unterliegenden Datenkategorien übernommen. Beispiel: Wird in dem Feld "Kenndaten Faktor" 7 eingegeben, so wird dieser Wert an die untergeordneten Datenkategorien wie Benutzername übergeben.
* The data categories are displayed hierarchically. Any information entered for a superordinate data category is applied to all subordinate data categories. Example: If the value 7 is entered in the field "Time limit for erasure Factor", this value is forwarded to all subordinate data categories.
* Ist bei einer Datenkategorie eine Löschfrist gesetzt, so wird diese automatisch übernommen. Passt diese für diese VT allerdings nicht, kann sie ohne Probleme hier geändert werden.
* If a time limit for erasure is set for a data category, it is applied automatically. If it does not fit the PA, it can be changed here without issue.


<b>Achtung:</b>
<b>Caution:</b>
* Das Zuweisen von neuen Empfängern bei der übergeordneten Datenkategorie ersetzt die bestehenden Zuweisungen nicht, sondern ergänzt diese. Wenn bereits z.B. Empfänger A für die untergeordneten Datenkategorien eingetragen wurde und man dann zusätzlich bei der übergeordneten Datenkategorie Empfänger B eingibt, so wird den untergeordneten Datenkategorien Empfänger B zusätzlich zum Empfänger A zugewiesen.
* Assigning new recipients in the superordinate data category does not replace the existing allocations but supplements them. Example: If recipient A has already been assigned to the subordinate data categories and recipient B is assigned to the superordinate data category, then the subordinate data categories are assigned recipient B in addition to recipient A.


:[[Datei:Verarbeitungstätigkeit Grid.gif|thumb|left|900px]]
:[[Datei:Verarbeitungstätigkeit Grid.gif|thumb|left|900px]]
<br clear=all>
<br clear=all>


=== Datenkategorie hinzufügen/übertragen ===
<span id="Datenkategorie_hinzufügen/übertragen"></span>
=== Assign/transfer data category ===


[[Datei:Verarbeitungstätigkeit erstellen S3 Datenkategorien.PNG|left|thumb|903px|Datenkategorien hinzufügen]]
[[Datei:Verarbeitungstätigkeit erstellen S3 Datenkategorien.PNG|left|thumb|903px|Assign data categories]]
<br clear=all>
<br clear=all>


[[Datei:Verarbeitungstätigkeit erstellen S4 Empfänger intern.PNG|450px|Interne Empfänger]]
[[Datei:Verarbeitungstätigkeit erstellen S4 Empfänger intern.PNG|450px|Internal recipients]]
[[Datei:Verarbeitungstätigkeit erstellen S4 Empfänger extern.PNG|450px|Externe Empfänger]]
[[Datei:Verarbeitungstätigkeit erstellen S4 Empfänger extern.PNG|450px|External recipients]]
<br clear=all>
<br clear=all>


'''Datenkategorien werden wie folgt hinzugefügt:'''
<span id="Datenkategorien_hinzufügen"></span>
# Über "Datenkategorien zuweisen" öffnet sich ein Dialog, in dem Sie der Betroffenenkategorie die Datenkategorien des Betroffenen zuweisen. Diese werden von der Verarbeitungstätigkeit verarbeitet.
==== Assign data categories ====
 
Data categories are assigned as follows:
# Selecting "Assign existing data categories" opens a dialog in which the data category is added to the data subject category. These are the categories of data processed in the processing activity.
#:
#:
# Datenherkunft: hier wird angegeben, woher diese Daten kommen.
# Source of data: this shows where the data originates.
#:
#:
# Löschfrist: hier wird angegeben, nach welchem Zeitraum diese Daten gelöscht werden müssen. Weiters sollte diese Löschfrist begründet werden, z.B indem auf gesetzliche Aufbewahrungspflichten verwiesen wird.
# Time limit for erasure: this specifies after which amount of time data must be deleted. Also, the deletion period must be justified, i.e. by referring to legal obligations to preserve records. If a reason has been recorded with the time limit of erasure itself, it is applied.
#:
#:
# Empfänger: Hier wird angegeben, an wen die personenbezogenen Daten weitergegeben werden. Dabei wird zwischen internen und externen Empfängern unterschieden. Interne sind Organisationseinheiten Ihres Unternehmens. Externe sind Betriebsfremde, wie Banken, das Arbeitsmarktservice, Gerichte, Behörden, etc. Um Empfänger hinzuzufügen, müssen Sie in einem leeren Empfänger-Feld doppelklicken. Dadurch öffnet sich ein Dialog, in dem Interne und Externe zum Hinzufügen ausgewählt werden können.
# Recipient: this states who receives the personal data. A distinction is made between internal and external recipients. Internal recipients are the company's organizational units. External recipients include banks, the unemployment office, courts, authorities, etc. In order to add a recipient, double-click into an empty recipient field. This opens a dialog in which internal and external recipients can be selected.
#:
#:
# Es soll darauf geachtet werden, dass alle Betroffenenkategorien behandelt wurden! (Über den Reiter oben kann auf andere Betroffenenkategorien gewechselt werden)
# It must be ensured that all data subject categories are dealt with! (It is possible to navigate to the data subject categories via the tabs at the top.)


==== Datenkategorien übertragen ====
<span id="Datenkategorien_übertragen"></span>
==== Transfer data categories ====


Betrifft eine VT mehrere Betroffenenkategorien, dann werden von diesen Betroffenenkategorien vermutlich auch dieselben Datenkategorien verarbeitet. Damit die Zuweisung und Konfiguration dieser Datenkategorien nicht bei jeder Betroffenenkategorie separat erfolgen muss, gibt es den "Datenkategorien übertragen" Button. Dieser Button kopiert die aktuellen Datenkategorien mit ihren Konfigurationen auf die ausgewählten Betroffenenkategorien.
If a PA affects multiple data subject categories, it is likely that the same data categories are processed for each of them. In order to avoid having to assign and configure the data categories separately for each data subject category, there is an option to "Transfer assigned data categories". This button copies all current data categories with their respective configurations to the selected data subject categories.


[[Datei:VT_Betroffenen_Datenkategorien_übertragen.png|900px|left|thumb|Datenkategorien übertragen]]
[[Datei:VT_Betroffenen_Datenkategorien_übertragen.png|900px|left|thumb|Transfer data categories]]
<br clear=all>
<br clear=all>


== <span id="Empfänger Übersicht"></span>Empfänger Übersicht ==
<span id="Übersicht_der_Empfänger"></span>
== <span id="Empfänger Übersicht"></span>Overview of recipients ==


In diesem Punkt werden alle Empfänger aufgelistet, die einer Datenkategorie zugewiesen wurden. Hier wird erfasst, welchen Zweck der Transfer von personenbezogenen Daten an den Empfänger erfüllt und auf welcher Rechtsgrundlage dieser beruht. Weiters kann angegeben werden, ob es sich beim Empfänger um einen Auftragsverarbeiter handelt.
In this tab, all recipients assigned to a data category are listed. It is recorded what the purpose of a transfer of personal data to a recipient is and what legal basis the transfer is based on. Furthermore, it can be recorded whether the recipient is also a data processor.


Zweck und Rechtsgrundlage sind in dieser Tabelle ein Eingabefeld und werden so erfasst.
Purpose and legal basis are recorded via an input field in this table.


[[Datei:Verarbeitungstätigkeit erstellen S4 Empfänger.PNG|left|thumb|901px]]
[[Datei:Verarbeitungstätigkeit erstellen S4 Empfänger.PNG|left|thumb|901px]]
<br clear=all>
<br clear=all>


== <span id="Maßnahmen und Kontrolldefinitionen hinzufügen"></span>Maßnahmen und Kontrolldefinitionen hinzufügen==
<span id="Maßnahmen_und_Kontrolldefinitionen_hinzufügen"></span>
== <span id="Maßnahmen und Kontrolldefinitionen hinzufügen"></span>Assign measures and control definitions==


In diesem Punkt können technische und organisatorische Maßnahmen oder Kontrolle hinzugefügt werden, welche speziell für diese Verarbeitungstätigkeit gelten. Gilt eine technische und organisatorische Maßnahmen oder Kontrolle für alle Verarbeitungstätigkeiten, muss diese unter "Datenschutz → TOMs" zu den allgemeinen technischen und organisatorischen Maßnahmen und Kontrollen hinzugefügt werden. Mehr dazu finden Sie [[TOMs|hier]].
In this tab, technical and organizational measures and controls can be assigned to the specific processing activity. If a technical or organizational measure or control applies to all processing activities, it must be added to the general technical and organizational measures in "Data protection → TOMs". Find more on this [[Special:MyLanguage/TOMs|here]].




Zeile 173: Zeile 184:
<br clear=all>
<br clear=all>


== <span id="Weitere Angaben"></span>Weitere Angaben==
<span id="Weitere_Angaben"></span>
== <span id="Weitere Angaben"></span>Further details==


In diesem Punkt werden weitere Angaben zur Verarbeitungstätigkeit erfasst.
In this tab, further details about the processing activity are recorded.


[[Datei:Verarbeitungstätigkeit erstellen S6 sonstiges.PNG|left|thumb|901px| Weitere Angaben]]
[[Datei:Verarbeitungstätigkeit erstellen S6 sonstiges.PNG|left|thumb|900px| Further details]]
<br clear=all>
<br clear=all>


<b>Profiling</b>
<b>Profiling</b>
* Unter Profiling versteht die DSGVO jede Art der automatisierten Verarbeitung personenbezogener Daten, die darin besteht, dass diese personenbezogenen Daten verwendet werden, um bestimmte persönliche Aspekte, die sich auf eine natürliche Person beziehen, zu bewerten. Insbesondere geht es darum, Aspekte bezüglich Arbeitsleistung, wirtschaftlicher Lage, Gesundheit, persönlicher Vorlieben, Interessen, Zuverlässigkeit, Verhalten, Aufenthaltsort oder Ortswechsel dieser natürlichen Person zu analysieren oder vorherzusagen.
* Profiling, according to the GDPR, is any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.
 
* If the processing of personal data constitutes any kind of profiling, "Yes" must be selected here and profiling activity's involved logic and implications must be described. This is important as it must be recognizable in a notification of a processing activity whether profiling is involved or not!
 
<b>Impact assessment</b>
* This shows whether a data protection impact assessment has been completed for the current processing activity and if so, what its state is. The result of the data protection impact assessment can also dictate that the processing activity may no longer be carried out due to its not being aligned with the data protection regulations.
: The following states for the DPIA are possible:
:*No assessment performed → no DPIA is linked to the PA.
:*DPIA necessary → DPIA linked, but no result available yet.
:*DPIA not necessary → DPIA linked and deemed not necessary.
:*DPIA attached → DPIA linked, file attached, but no result available yet.
:*PA approved → DPIA available and as a result the PA may be carried out.
:*PA with stipulation → DPIA available and as a result the PA may only be carried out after the stipulations (measures/controls) have been implemented.
:*PA prohibited → DPIA available and as a result the PA may not be carried out because it goes against the data protection regulations.
:You can find more on data protection impact assessments in [[Special:MyLanguage/Datenschutz-Folgenabschätzung|"Data protection → DPIA"]].
 
<b>Resource assignment</b>
*From a list of all available resources of the application layer, it's possible to select and assign those that are used for the processing activity. If something is used that is not in the list, this information can be added in a text field.
*Doing this does not automatically create relationships in the structuraly analysis; the data is of a purely informative nature.
 
<span id="Optional:_Schwellwertanalyse"></span>
== <span id="VT_Schwellwert"></span>Optional: Threshold analysis==
 
If the practitioner users in the department have sufficient knowledge and expertise in data protection to evaluate the thresholds of a DPIA necessity, this analysis can optionally be made available in step 7 of the PA. In this case, the DPIA information is also moved to step 7 from step 6.<p>This configuration cannot currently be made by HITGuard users; if you would like to offer the threshold analysis as part of the PA, please contact us.<p>If the threshold analysis is activated as part of the PA and has been filled in by the responsible person or advisor, and the PA is assigned to a DPIA as the main PA, the set values are adopted and preset in the DPIA's threshold analysis step.


* Handelt es sich bei der Verarbeitung der personenbezogenen Daten um eine Art von Profiling, muss hier "Ja" ausgewählt werden und bei der Beschreibung das Profiling beschrieben werden. Dies ist wichtig, da bei einer Verarbeitungsmeldung erkenntlich sein muss, ob es sich um Profiling handelt oder nicht!
:You can find more on the threshold analysis under [[Special:MyLanguage/Datenschutz-Folgenabschätzung|"Data protection → DPIA"]].


<b>Folgenabschätzung</b>
[[Datei:Rn233_VT_Schritt7.png|left|thumb|900px|Optional step 7]]
* Hier wird angezeigt, ob es zur aktuellen Verarbeitungstätigkeit eine Datenschutzfolgenabschätzung gibt. Mehr Infos zu Datenschutzfolgenabschätzungen finden Sie unter [[Datenschutz-Folgenabschätzung|"Datenschutz → DSFA"]].
<br clear=all>

Aktuelle Version vom 7. März 2024, 15:31 Uhr

What is a processing activity?

A legal definition of the term can be found in Art. 4 of the GDPR, where "processing activity" is defined as follows:
  • any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.
This means a processing activity is any process or procedure in which any form of personal data is processed, whether it is simply saved or used for evaluation.

Processing activity details

Now, the individual parts of the processing activity will be described.

Details der Verarbeitungstätigkeit


Organizational register:

  • Here, name the register responsible for the processing activity.

PA-responsibility:

  • Here, designate one or more persons responsible, who decide over the means and purpose of the processing of the personal data. For this, enter the organizational units or external persons responsible for the processing activity. In the mapping dialog, only those contacts created in "Data protection → Externals" are displayed, which have also been marked as PA-responsible. This label needs to be set directly in the External creation mask ("Data protection → Externals"). If the respective external has not yet been created, this can be done directly here.

Code and Name:

  • Here, assign a code and a name for the PA.

Purpose of the processing activity:

  • Here, the purpose of the processing of the personal data must be recorded.

Person responsible:

  • The person or team responsible for the PA within the company.

Advisor:

  • This is the person or team tasked with editing the processing activity.

Joint responsibility:

  • If two or more responsibles together decide the purposes and means of a processing activity, they share joint responsibility. In a transparent agreement, they stipulate which of them fulfills which one of the obligations according to the ordinance, especially regarding the rights of the data subjects, and who complies with information obligation in accordance with Articles 13 and 14.
  • There should also be a short description of who fulfills which obligations according to the ordinance.
  • Agreements and any other relevant documents created for this purpose can be uploaded here.

Implementation date:

  • Set the date the processing activity becomes valid.

Version date:

  • Set the date the current version of the processing activity becomes valid.

Version number:

  • This displays which version of the processing activity is currently active.

Change log:

  • Here, the time and author of changes made to the processing activity, the time of a status change, and the time of its completion are recorded.


Status and deletion of a processing activity

A processing activity can be in various states. If e-mail notifications are activated in the management system, all relevant people in the workflow are prompted to perform their respective tasks when the state is changed. In this case, it would be the advisor, if an expert of professional requests the editing of a processing activity.

Draft

  • The first time a processing activity is saved or when it is deactivated while in the state "In editing", it is moved into the state "Draft". From here, it can be activated, as in moved into the state "In editing".

In editing

  • When a processing activity is activated, it is moved into the state "In editing". It is now time for an expert or a responsible professional to perform the processing activity or to request performance from an advisor by selecting "Request editing".
  • It can be moved back into the state "Draft" by selecting "Deactivate editing".
  • It can be moved into the state "Editing completed" by selecting "Complete editing".


Editing requested

  • When a processing activity is requested, it is moved into the state "Editing requested". The advisor is now prompted via e-mail to edit the processing activity.
  • It can be moved into the state "Answered" by selecting "Submit edits".

Answered

  • When a processing activity is returned by the advisor via the option "Submit edits", it is moved into the state "Answered".
  • It can be moved back into the state "Editing requested" by selecting "Request editing" again and the advisor will have to revise their edits.
  • It can be returned into the state "Draft" by selecting "Deactivate editing".
  • It can be moved into the state "Editing completed" by selecting "Complete editing".

Editing completed

  • When a processing activity is moved into the state "Editing completed" by selecting "Commplete editing", it is turned read-only and can no longer be edited.
  • When the processing activity moves into this state, a process is created automatically for this processing activity. Processes are accessible to experts in "Administration → Processes".
  • When completing a processing activity, it is possible to link it to a DPIA if at least one prior version of the PA is linked to that DPIA. There is also a suggestion to review and possibly update that DPIA.

Deleting and annulling a processing activity

  • By selecting "Delete processing activity", a processing activity can be deleted so long as it has not been completed.
  • Caution: Because of their historicization, completed processing activities can no longer be deleted! They can merely be annulled by selecting the Button "Annul processing activity" in the overview found in "Data protection → Processing registers → Processing activities".
  • Annulled processing activities can no longer be activated!


Add data subjects

In this tab, an expert, a responsible professional or an advisor can add data subjects ot the processing activity.

Data subject categories can be created and administrated by experts in "Data protection → Data subject categories". Find more here.

Clicking on "Assign existing data subject categories" opens a dialog in which you can choose which data subject categories are to be assigned to the processing activity. Here, choose all data subject categories whose personal data are processed in the processing activity.


Important:

For every data subject category the legal basis of the processing has to be stated in accordance with Article 6 GDPR Lawfulness of processing. For this, the column "Legitimacy of the processing" offers the following reasons to choose from:

  • Consent to processing by data subject
  • Vital interests
  • Legal obligation
  • Performance of the contract or pre-contractual measures
  • In the public interest or in the exercise of official authority
  • Legitimate interests of the responsible person or a third party
  • Other reasons (GDPR: legally not justified)
This option mainly serves as a placeholder in case the legitimacy is unclear at the time of creating the processing activity! It is by no means avalid legal basis in accordance with Art. 6 GDPR. Therefore, it should not appear in the finished PA but be replaced with a valid legal basis!

It is possible to select multiple legal bases for the processing.

Add data categories

In this tab, an expert, a responsible professional, or an advisor adds the personal data categories to the respective data subject categories. Only those data categories are available that have been marked as "personal".

Data categories can be created and administrated by experts in "Administration → Data categories". Find more here.

About the table:

  • This table contains input fields that can be filled in.
  • The data categories are displayed hierarchically. Any information entered for a superordinate data category is applied to all subordinate data categories. Example: If the value 7 is entered in the field "Time limit for erasure → Factor", this value is forwarded to all subordinate data categories.
  • If a time limit for erasure is set for a data category, it is applied automatically. If it does not fit the PA, it can be changed here without issue.

Caution:

  • Assigning new recipients in the superordinate data category does not replace the existing allocations but supplements them. Example: If recipient A has already been assigned to the subordinate data categories and recipient B is assigned to the superordinate data category, then the subordinate data categories are assigned recipient B in addition to recipient A.


Assign/transfer data category

Assign data categories


Internal recipients External recipients

Assign data categories

Data categories are assigned as follows:

  1. Selecting "Assign existing data categories" opens a dialog in which the data category is added to the data subject category. These are the categories of data processed in the processing activity.
  2. Source of data: this shows where the data originates.
  3. Time limit for erasure: this specifies after which amount of time data must be deleted. Also, the deletion period must be justified, i.e. by referring to legal obligations to preserve records. If a reason has been recorded with the time limit of erasure itself, it is applied.
  4. Recipient: this states who receives the personal data. A distinction is made between internal and external recipients. Internal recipients are the company's organizational units. External recipients include banks, the unemployment office, courts, authorities, etc. In order to add a recipient, double-click into an empty recipient field. This opens a dialog in which internal and external recipients can be selected.
  5. It must be ensured that all data subject categories are dealt with! (It is possible to navigate to the data subject categories via the tabs at the top.)

Transfer data categories

If a PA affects multiple data subject categories, it is likely that the same data categories are processed for each of them. In order to avoid having to assign and configure the data categories separately for each data subject category, there is an option to "Transfer assigned data categories". This button copies all current data categories with their respective configurations to the selected data subject categories.

Transfer data categories


Overview of recipients

In this tab, all recipients assigned to a data category are listed. It is recorded what the purpose of a transfer of personal data to a recipient is and what legal basis the transfer is based on. Furthermore, it can be recorded whether the recipient is also a data processor.

Purpose and legal basis are recorded via an input field in this table.


Assign measures and control definitions

In this tab, technical and organizational measures and controls can be assigned to the specific processing activity. If a technical or organizational measure or control applies to all processing activities, it must be added to the general technical and organizational measures in "Data protection → TOMs". Find more on this here.



Further details

In this tab, further details about the processing activity are recorded.

Further details


Profiling

  • Profiling, according to the GDPR, is any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.
  • If the processing of personal data constitutes any kind of profiling, "Yes" must be selected here and profiling activity's involved logic and implications must be described. This is important as it must be recognizable in a notification of a processing activity whether profiling is involved or not!

Impact assessment

  • This shows whether a data protection impact assessment has been completed for the current processing activity and if so, what its state is. The result of the data protection impact assessment can also dictate that the processing activity may no longer be carried out due to its not being aligned with the data protection regulations.
The following states for the DPIA are possible:
  • No assessment performed → no DPIA is linked to the PA.
  • DPIA necessary → DPIA linked, but no result available yet.
  • DPIA not necessary → DPIA linked and deemed not necessary.
  • DPIA attached → DPIA linked, file attached, but no result available yet.
  • PA approved → DPIA available and as a result the PA may be carried out.
  • PA with stipulation → DPIA available and as a result the PA may only be carried out after the stipulations (measures/controls) have been implemented.
  • PA prohibited → DPIA available and as a result the PA may not be carried out because it goes against the data protection regulations.
You can find more on data protection impact assessments in "Data protection → DPIA".

Resource assignment

  • From a list of all available resources of the application layer, it's possible to select and assign those that are used for the processing activity. If something is used that is not in the list, this information can be added in a text field.
  • Doing this does not automatically create relationships in the structuraly analysis; the data is of a purely informative nature.

Optional: Threshold analysis

If the practitioner users in the department have sufficient knowledge and expertise in data protection to evaluate the thresholds of a DPIA necessity, this analysis can optionally be made available in step 7 of the PA. In this case, the DPIA information is also moved to step 7 from step 6.

This configuration cannot currently be made by HITGuard users; if you would like to offer the threshold analysis as part of the PA, please contact us.

If the threshold analysis is activated as part of the PA and has been filled in by the responsible person or advisor, and the PA is assigned to a DPIA as the main PA, the set values are adopted and preset in the DPIA's threshold analysis step.

You can find more on the threshold analysis under "Data protection → DPIA".
Optional step 7