Verarbeitungstätigkeit/en: Unterschied zwischen den Versionen

What is a processing activity?

A legal definition of the term can be found in Art. 4 of the GDPR. If defines "processing activity" as follows:

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.

This means a processing activity is any process or procedure in which any form of personal data is processed, whether it is simply saved or used for evaluation.

Each processing activity is fundamentally defined by its header data. The screenshot below shows the header data page. The section that follows will describe the individual input fields.

Organizational register:

• Here, name the organizational register responsible for the processing activity.

PA-responsibility: Here, you can enter one or more organizational units and externals, which are responsible for processing the data. These entities decide over the means and purpose of the processing of the personal data.
When assigning these entities, HITGuard only displays those Externals that are also marked as "is PA-responsible" in the menu item “Data protection → External”. This Setting must be made directly in the page for editing externals. However, if the desired External does not yet exist, it can also be created here in the processing activity, automatically setting it as PA-responsible in the process.

Code and Name:

• Here, assign a code and a name for the PA.

Purpose of the processing activity:

• Here, you must record the purpose of the processing of the personal data.

Person responsible:

• The person or team responsible for the PA within the company.

Advisor:

• The Advisor is the person or team assigned to handle the processing activity. You can also send the processing activity to the advisor, delegating the task of editing to him/her. To do this, click on the small triangle in the blue workflow button at the top right and then select “Request editing".

Joint responsibility:

• If two or more responsibles together decide the purposes and means of a processing activity, they share joint responsibility. In a transparent agreement, they stipulate which of them fulfills which one of the obligations according to the ordinance, especially regarding the rights of the data subjects, and who complies with information obligation in accordance with Articles 13 and 14.
• There should also be a short description of who fulfills which obligations according to the ordinance.
• Agreements and any other relevant documents created for this purpose can be uploaded here.

Implementation date:

• Set the date the processing activity becomes valid.

Version date:

• Set the date the current version of the processing activity becomes valid.

Version number:

• Here, HITGuard displays which version of the processing activity is involved. Once a processing activity has been completed, this version remains read-only. Updates to the processing activities are made in a new version. You can create these in the processing activity register.

Change log:

• Here, the time and author of changes made to the processing activity, the time of a status change, and the time of its completion are recorded.

A processing activity can be in various states. If e-mail notifications are activated in the management system, all relevant people in the workflow are prompted to perform their respective tasks when the state is changed. In this case, it would be the advisor, if an expert of professional requests the editing of a processing activity.

Draft

• The first time a processing activity is saved or when it is deactivated while in the state "In editing", it is moved into the state "Draft". From here, it can be activated, as in moved into the state "In editing".

In editing

• When a processing activity is activated, it is moved into the state "In editing". It is now time for an expert or a responsible professional to perform the processing activity or to request performance from an advisor by selecting "Request editing".
• It can be moved back into the state "Draft" by selecting "Deactivate editing".
• It can be moved into the state "Editing completed" by selecting "Complete editing".

Editing requested

• When a processing activity is requested, it is moved into the state "Editing requested". The advisor is now prompted via e-mail to edit the processing activity.
• It can be moved into the state "Answered" by selecting "Submit edits".

Answered

• When a processing activity is returned by the advisor via the option "Submit edits", it is moved into the state "Answered".
• It can be moved back into the state "Editing requested" by selecting "Request editing" again and the advisor will have to revise their edits.
• It can be returned into the state "Draft" by selecting "Deactivate editing".
• It can be moved into the state "Editing completed" by selecting "Complete editing". Only in this status the processing activity will not block you from creating a successor analysis period.

Editing completed

• When a processing activity is moved into the state "Editing completed" by selecting "Commplete editing", it is turned read-only and can no longer be edited.
• When the processing activity moves into this state, a process is created automatically for this processing activity. Processes are accessible to experts in "Administration → Processes".
• When completing a processing activity, it is possible to link it to a DPIA if at least one prior version of the PA is linked to that DPIA. There is also a suggestion to review and possibly update that DPIA.
• Note: If the Advisor has not yet returned the processing activity, you cannot create a successor analysis period.

Deleting and annulling a processing activity

• By selecting "Delete processing activity", a processing activity can be deleted so long as it has not been completed.
• Caution: Because of their historicization, completed processing activities can no longer be deleted! They can merely be annulled by selecting the Button "Annul processing activity" in the overview found in "Data protection → Processing registers → Processing activities".
• Annulled processing activities can no longer be activated!

In this tab, an expert, a responsible professional or an advisor can add data subjects ot the processing activity.

Data subject categories can be created and administrated by experts in "Data protection → Data subject categories". Find more here.

Clicking on "Assign existing data subject categories" opens a dialog in which you can choose which data subject categories are to be assigned to the processing activity. Here, choose all data subject categories whose personal data are processed in the processing activity.

Important:

For every data subject category the legal basis of the processing has to be stated in accordance with Article 6 GDPR Lawfulness of processing. For this, the column "Legitimacy of the processing" offers the following reasons to choose from:

• Consent to processing by data subject
• Vital interests
• Legal obligation
• Performance of the contract or pre-contractual measures
• In the public interest or in the exercise of official authority
• Legitimate interests of the responsible person or a third party
• Other reasons (GDPR: legally not justified)

This option mainly serves as a placeholder in case the legitimacy is unclear at the time of creating the processing activity! It is by no means avalid legal basis in accordance with Art. 6 GDPR. Therefore, it should not appear in the finished PA but be replaced with a valid legal basis!

It is possible to select multiple legal bases for the processing.

If the option "Legitimate interests of the responsible person or a third party" is selected for the legitimacy of the processing, this should be explained and justified properly in the remarks field. Additionally, the selection of this option for at least one category of data subjects can trigger the showing of the step 2.1 "Weighing of interests".

The following points can be explained in detail in this step:

• Explanation of the legitimate interest
• Necessity
• Opposing interests of data subjects
• Consideration of the interests or fundamental rights and freedoms of the data subject
  

If the processing activity is set as the main PA in a data protection impact assessment, the text of the explanation of the legitimate interest will be shown in step 4.4 "Necessity and proportionality".

If activated under Data protection > Settings, the legal obligation to the data subject categories can be recorded. This is done in the form of a norm-mapping.

In this tab, an expert, a responsible professional, or an advisor adds the personal data categories to the respective data subject categories. Only those data categories are available that have been marked as "personal".

Data categories can be created and administrated by experts in "Administration → Data categories". Find more here.

About the table:

• This table contains input fields that can be filled in.
• The data categories are displayed hierarchically. Any information entered for a superordinate data category is applied to all subordinate data categories. Example: If the value 7 is entered in the field "Time limit for erasure → Factor", this value is forwarded to all subordinate data categories.
• If a time limit for erasure is set for a data category, it is applied automatically. If it does not fit the PA, it can be changed here without issue.

Caution:

• Assigning new recipients in the superordinate data category does not replace the existing allocations but supplements them. Example: If recipient A has already been assigned to the subordinate data categories and recipient B is assigned to the superordinate data category, then the subordinate data categories are assigned recipient B in addition to recipient A.

Data categories are assigned as follows:

1. Selecting "Assign existing data categories" opens a dialog in which the data category is added to the data subject category. These are the categories of data processed in the processing activity.

2. Source of data: this shows where the data originates.

3. Time limit for erasure: this specifies after which amount of time data must be deleted. Also, the deletion period must be justified, i.e. by referring to legal obligations to preserve records. If a reason has been recorded with the time limit of erasure itself, it is applied.

4. Recipient: this states who receives the personal data. A distinction is made between internal and external recipients. Internal recipients are the company's organizational units. External recipients include banks, the unemployment office, courts, authorities, etc. In order to add a recipient, double-click into an empty recipient field. This opens a dialog in which internal and external recipients can be selected.

5. It must be ensured that all data subject categories are dealt with! (It is possible to navigate to the data subject categories via the tabs at the top.)

If a PA affects multiple data subject categories, it is likely that the same data categories are processed for each of them. In order to avoid having to assign and configure the data categories separately for each data subject category, there is an option to "Transfer assigned data categories". This button copies all current data categories with their respective configurations to the selected data subject categories.

In this tab, all recipients assigned to a data category are listed. It is recorded what the purpose of a transfer of personal data to a recipient is and what legal basis the transfer is based on. Furthermore, it can be recorded whether the recipient is also a data processor.

Purpose and legal basis are recorded via an input field in this table.

In this tab, technical and organizational measures and controls can be assigned to the specific processing activity. If a technical or organizational measure or control applies to all processing activities, it must be added to the general technical and organizational measures in "Data protection → TOMs". Find more on this here.

In this tab, further details about the processing activity are recorded.

Profiling

• Profiling, according to the GDPR, is any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.

• If the processing of personal data constitutes any kind of profiling, "Yes" must be selected here and profiling activity's involved logic and implications must be described. This is important as it must be recognizable in a notification of a processing activity whether profiling is involved or not!

Impact assessment

• This shows whether a data protection impact assessment has been completed for the current processing activity and if so, what its state is. The result of the data protection impact assessment can also dictate that the processing activity may no longer be carried out due to its not being aligned with the data protection regulations.

The following states for the DPIA are possible:

• No assessment performed → no DPIA is linked to the PA.
• DPIA necessary → DPIA linked, but no result available yet.
• DPIA not necessary → DPIA linked and deemed not necessary.
• DPIA attached → DPIA linked, file attached, but no result available yet.
• PA approved → DPIA available and as a result the PA may be carried out.
• PA with stipulation → DPIA available and as a result the PA may only be carried out after the stipulations (measures/controls) have been implemented.
• PA prohibited → DPIA available and as a result the PA may not be carried out because it goes against the data protection regulations.

You can find more on data protection impact assessments in "Data protection → DPIA".

Resource assignment

• From a list of all available resources of the business service layer and the application layer (activated by default), it's possible to select and assign those that are used for the processing activity. Which model segment layers are available can be configured in the data protection settings. If something is used that is not in the list, this information can be added in a text field.
• Doing this does not automatically create relationships in the structuraly analysis; the data is of a purely informative nature.

If the practitioner users in the department have sufficient knowledge and expertise in data protection to evaluate the thresholds of a DPIA necessity, this analysis can optionally be made available in step 7 of the PA. In this case, the DPIA information is also moved to step 7 from step 6.

This configuration cannot currently be made by HITGuard users; if you would like to offer the threshold analysis as part of the PA, please contact us.

If the threshold analysis is activated as part of the PA and has been filled in by the responsible person or advisor, and the PA is assigned to a DPIA as the main PA, the set values are adopted and preset in the DPIA's threshold analysis step.

You can find more on the threshold analysis under "Data protection → DPIA".