Menü aufrufen
Toggle preferences menu
Persönliches Menü aufrufen
Nicht angemeldet
Ihre IP-Adresse wird öffentlich sichtbar sein, wenn Sie Änderungen vornehmen.

Datenschutz-Folgenabschätzung/en: Unterschied zwischen den Versionen

Aus HITGuard User Guide
Sala (Diskussion | Beiträge)
Die Seite wurde neu angelegt: „left|thumb|901px|Consultations <br clear=all>“
Faha (Diskussion | Beiträge)
Keine Bearbeitungszusammenfassung
Zeile 38: Zeile 38:
* Owners, directors, officers or other legally appointed corporate officers.
* Owners, directors, officers or other legally appointed corporate officers.


<div class="mw-translate-fuzzy">
<u>Processors:</u>
<u>Processors:</u>
* Those persons who are responsible for the processing activity in the company.
* Those persons who are responsible for the processing activity in the company.
</div>


<div class="mw-translate-fuzzy">
<u>Auditor:</u>
<u>Auditor:</u>
* The person who processes the DPIA. The user who creates the DPIA in HITGuard is suggested.
* The person who processes the DPIA. The user who creates the DPIA in HITGuard is suggested.
</div>


<u>Version date:</u>
<u>Version date:</u>
Zeile 50: Zeile 54:
* Here <b>must</b> be entered a version number for the DPIA. This is for historization purposes.
* Here <b>must</b> be entered a version number for the DPIA. This is for historization purposes.


<div class="mw-translate-fuzzy">
<u>Assigned processing activities:</u>
<u>Assigned processing activities:</u>
* Here, processing activities can be assigned to the DPIA. The DPIA applies to <b>all</b> assigned processing activities.
* Here, processing activities can be assigned to the DPIA. The DPIA applies to <b>all</b> assigned processing activities.
* A processing activity can only be assigned to a DPIA if it does not yet belong to any DPIA.
* A processing activity can only be assigned to a DPIA if it does not yet belong to any DPIA.
* Main processing activity: The data of this processing activity are loaded as a result of the DPIA.
* Main processing activity: The data of this processing activity are loaded as a result of the DPIA.
</div>


=== Necessity test ===
=== Necessity test ===
Zeile 93: Zeile 99:
Unlike the previous point, this one assumes that there is no exception to the DPIA.
Unlike the previous point, this one assumes that there is no exception to the DPIA.


<div class="mw-translate-fuzzy">
There are cases where it is mandatory to perform a data protection impact assessment. These include:  
There are cases where it is mandatory to perform a data protection impact assessment. These include:  
* Art. 35(3) GDPR:
* Art. 35(3) GDPR:
:: Concerns automated processing including profiling, extensive processing of special categories of personal data or criminal convictions and offences, and systematic, extensive monitoring of publicly accessible areas.
:: Concerns automated processing including profiling, extensive processing of special categories of personal data or criminal convictions and offences, and systematic, extensive monitoring of publicly accessible areas.
</div>


* Mention on the blacklist:  
* Mention on the blacklist:  
Zeile 142: Zeile 150:
<br clear=all>
<br clear=all>


<div class="mw-translate-fuzzy">
==== Norms and standards ====
==== Norms and standards ====
In this item, norms and standards are to be listed which are used for the processing. This also includes guidelines and data protection certifications (Art. 42 GDPR) as well as approved codes of conduct (Art. 40 GDPR).
In this item, norms and standards are to be listed which are used for the processing. This also includes guidelines and data protection certifications (Art. 42 GDPR) as well as approved codes of conduct (Art. 40 GDPR).
</div>


Approved rules of conduct are often referred to as "codes of conduct". They are published by an association, e.g., a federation or association such as professional associations or chambers. The association issues the approved rules of conduct as binding specifications to determine the data protection-related conduct of its members. The DSFA must describe whether there are approved rules of conduct pursuant to Art. 40 GDPR to which the company subscribes and whose requirements they implement or comply with.
Approved rules of conduct are often referred to as "codes of conduct". They are published by an association, e.g., a federation or association such as professional associations or chambers. The association issues the approved rules of conduct as binding specifications to determine the data protection-related conduct of its members. The DSFA must describe whether there are approved rules of conduct pursuant to Art. 40 GDPR to which the company subscribes and whose requirements they implement or comply with.
Zeile 202: Zeile 212:
This point of the DPIA records what is done to grant the personal rights of the data subjects.
This point of the DPIA records what is done to grant the personal rights of the data subjects.


<div class="mw-translate-fuzzy">
Several points of the GDPR must be clarified for this purpose:
Several points of the GDPR must be clarified for this purpose:
* Information obligation (Art 12-14 GDPR) and consent of the data subject (Art. 6 GDPR):
* Information obligation (Art 12-14 GDPR) and consent of the data subject (Art. 6 GDPR):
Zeile 218: Zeile 229:
:: It must be described if and how the data subject's point of view was collected.  
:: It must be described if and how the data subject's point of view was collected.  
:: If it was not raised, this must be justified!
:: If it was not raised, this must be justified!
</div>


[[Datei:DSFA Schritt 4.5 Persönlichkeitsrechte 1.PNG|left|thumb|900px|Personal rights of the persons concerned 1]]
[[Datei:DSFA Schritt 4.5 Persönlichkeitsrechte 1.PNG|left|thumb|900px|Personal rights of the persons concerned 1]]

Version vom 15. November 2021, 08:19 Uhr

According to the General Data Protection Regulation, it must be documented and decided for each processing activity whether a data protection impact assessment (DPIA) is to be carried out. This is done in the course of a data protection impact assessment requirement assessment.

Related processing activities may be subject to the same DPIA necessity test to declare that a DPIA is or is not necessary for the processing activity.

A DPIA in HITGuard combines the DPIA requirement check and the subsequent DPIA. First, the requirement check is performed and then, depending on the result of the check, the documentation step can either be completed or a DPIA must consequently be performed and thus documented.

In HITGuard, these DPIA can be found and managed under the menu item "Privacy → DPIA".

There is also the possibility to store existing DPIA documents.

Important: A standard DPIA report and likewise a report for consultation with the data protection authority can be prepared.


DPIA

To create a DPIA, click the "Plus" button in the DPIA overview ("Privacy → DPIA").

To edit a DPIA, double-click on the desired DPIA.

In the following picture you can find an overview of all DPIA:

Overview of the DPIA


Review details

The following describes the verification details of a DPIA.

Review details


Designation:

  • A designation for the DPIA is assigned here.

Confirmers:

  • Owners, directors, officers or other legally appointed corporate officers.

Processors:

  • Those persons who are responsible for the processing activity in the company.

Auditor:

  • The person who processes the DPIA. The user who creates the DPIA in HITGuard is suggested.

Version date:

  • Here must be entered a date for the version of the DPIA.

Version number:

  • Here must be entered a version number for the DPIA. This is for historization purposes.

Assigned processing activities:

  • Here, processing activities can be assigned to the DPIA. The DPIA applies to all assigned processing activities.
  • A processing activity can only be assigned to a DPIA if it does not yet belong to any DPIA.
  • Main processing activity: The data of this processing activity are loaded as a result of the DPIA.

Necessity test


The necessity test is the step towards knowing whether a DPIA needs to be performed for the assigned processing activities.

To assess whether a DPIA is necessary, three cases are distinguished:

  1. It is an exception to the DPIA.
  2. The necessity of the DPIA is specified.
  3. A threshold analysis is performed to determine whether a DPIA is necessary.

A DPIA necessity check or a DPIA may apply to related processing activities. This is the case if the processing activity address a similar risk. Therefore, it is possible to link several processing activities to the DPIA in the verification details. The processing activity marked as "Main processing activity" is the basis from which HITGuard draws the collected information from the processing activity (e.g., data categories, resources used, etc.) in the DPIA steps of the wizard.

Exception to the DSFA

There are cases in which it is not necessary to conduct a data protection impact assessment. These include, among others:

Anticipation:

If the processing activities have been reviewed and approved by the data protection authority before May 2018 and have not changed, the data protection impact assessment may be omitted.

Whitelisting:

If the processing activity is on the list of types of processing activities that do not require a DPIA that the supervisory authority may establish (Art. 35(5)), the DPIA may be omitted.

Similarity assessment:.

If the review of similar processing activities reveals similarly high risks due to their nature, scope, circumstances and purpose, then a data protection impact assessment may be carried out jointly (Art. 35 (1) GDPR).

Depending on whether it is an exception or not, this concludes the necessity test and the DPIA is done or continues to the next step.

Important: If "Yes" is selected, reasons must be given as to why no data protection impact assessment is to be carried out! Yes" means that the necessity test has been completed and no further test steps need to be performed.

Exception to the DPIA


Necessity of the DPIA specified

Unlike the previous point, this one assumes that there is no exception to the DPIA.

There are cases where it is mandatory to perform a data protection impact assessment. These include:

  • Art. 35(3) GDPR:
Concerns automated processing including profiling, extensive processing of special categories of personal data or criminal convictions and offences, and systematic, extensive monitoring of publicly accessible areas.
  • Mention on the blacklist:
The supervisory authority draws up a list of processing activities for which a DPIA must be performed. Once this list has been published, it must be taken into account here.

Additionally, a rationale for the decision can be recorded.

Important:

  • "Yes" skips the "Threshold Analysis" item, as DPIA is definitely to be performed.
Necessity of the DPIA specified


Threshold analysis

If the necessity of a DPIA is not specified by a clear obligation to perform or not to perform it, it is at the discretion of the controller to assess the necessity of performing the DPIA. The information provided by the Art. 29 Data Protection Working Party will help in this regard. The handling of the list of criteria is recommended as follows, by means of a rule of thumb: A high risk exists in any case if at least two of the criteria are met. In this case, a DPIA should be carried out.

In order to find out which criteria are met, the working paper "248 Criteria of the European Data Protection Board" should be reviewed first!

Subsequently, a decision must be made as to whether a DSFA is to be performed. A justification for this decision must be recorded.

Necessity of the DPIA specified


Existing DPIA

The DPIA requirement check should be performed for every processing activity. With HITGuard, these verification steps can be verifiably documented. In some cases, the necessity check must be documented for the processing register. However, the DPIA has already been performed if, for example, it was created together with an external consultant. In this case, you may not want to document another DPIA in HITGuard. For the central collection of your documents in case of an official contact, you would like to merge all documents in HITGuard. In this case, you can mark in this step that a DPIA has already been performed. Upload the DPIA report here and specify that no further DPIA documentation steps are to be performed in HITGuard.

Important:

  • Setting the "DPIA already done" will disable the following steps of the DPIA , because the DPIA is already in place.
Existing DPIA


Processing information


If a DPIA is to be performed in HITGuard, the planned processing activities must first be described.

Art. 35 (7) (a) GDPR requires a systematic description of the planned processing activities including the purpose of the processing. For this purpose, HITGuard will load the purpose of processing already recorded there from the main processing activity. You can supplement this information with additional information such as area of application, user, etc.

The responsibilities for processing, such as the controller of the processing activity or any processors and information on joint processing are also presented to you from the main processing activity.

Processing Information


Norms and standards

In this item, norms and standards are to be listed which are used for the processing. This also includes guidelines and data protection certifications (Art. 42 GDPR) as well as approved codes of conduct (Art. 40 GDPR).

Approved rules of conduct are often referred to as "codes of conduct". They are published by an association, e.g., a federation or association such as professional associations or chambers. The association issues the approved rules of conduct as binding specifications to determine the data protection-related conduct of its members. The DSFA must describe whether there are approved rules of conduct pursuant to Art. 40 GDPR to which the company subscribes and whose requirements they implement or comply with.

Norms and Standards


Data and resources

In the DPIA, a detailed description of the planned processing activities, including the following information, can be found under this item: - all personal data processed, including information on categories of data subjects, recipients and information on the storage of the data - the information systems used for this purpose (= operating resources)

HITGuard supports you in this point, as it lists all relevant information about this that has already been recorded in the main processing activity here.

Data and resources


Detailed descriptions of the IT resources used can also be recorded here. Furthermore, documents with visualized representations of IT resources and their dependencies can be stored.

Data and resources: Upload file


Lifecycle of data and processes

In this item of the DPIA, a detailed account of the planned processing activities, including the following information, shall be recorded: - Description of the process steps for a detailed account of how the processing activity will work and what will happen. - Internal and external interfaces as well as data flows

To clarify the explanation, documents such as data flow diagrams can be attached in this step. In addition to capturing a detailed description, you can also upload a document.

Life cycle of data and processes


Necessity and proportionality

In this point of the DPIA, the necessity and proportionality of the processing activities are justified in accordance with Art. 35(7)(b) GDPR.

To do this, several points need to be clarified:

  • Lawfulness of processing:
The lawfulness of the processing operations of each data category are listed here. (Data categories from main processing activity)
  • Purpose limitation principle (Art. 5 Abs 1 b GDPR):
It must be explained why the processing purposes are determined, clearly defined and lawful.
  • Data minimization (Art. 5 (1) (c) GDPR):
It must be explained why the data collected are necessary, required and relevant.
  • Accuracy (Art. 5(1)(d) GDPR):
It must be described what steps are taken to ensure the quality of the data (accuracy, timeliness, etc.).
Measures and controls that ensure the quality of the data can be linked.
  • Storage limitation (Art. 5 para. 1 e GDPR):
The storage period (deletion period) of the data including justification for this must be specified. However, this is already done in the step "Data and resources" and is therefore not listed here.
Necessity and proportionality 1


Necessity and proportionality 2


Personal rights of the persons concerned

This point of the DPIA records what is done to grant the personal rights of the data subjects.

Several points of the GDPR must be clarified for this purpose:

  • Information obligation (Art 12-14 GDPR) and consent of the data subject (Art. 6 GDPR):
It must be described how the data subjects are informed about the processing, which information is provided to you in which way and how the consent of the processing is obtained, if this is required.
For this purpose, measures and controls to demonstrate compliance with the information obligation and consent of the data subject can be linked here.
  • Data subject rights (Art 13-22 GDPR):
It must be explained how data subjects can exercise their rights of access, authorization, erasure, restriction of processing, data transfer and objection.
For this purpose, measures and controls to demonstrate compliance with data subjects' rights can be assigned here.
  • Commissioned processing (Art 28 GDPR):
It must be explained whether and why the obligations of the processors are clearly defined and contractually regulated.
For this purpose, a list of the processors is displayed. These come from the main processing activity.
  • Data transfers to third countries (Art 44-49 GDPR):
It must be explained whether data transfers to countries outside the EU take place and whether and how these data are adequately protected.
For this purpose, a list of recipients to third countries is displayed. This comes from the main processing activity.
  • Position of the data subjects
It must be described if and how the data subject's point of view was collected.
If it was not raised, this must be justified!
Personal rights of the persons concerned 1


Personal rights of the persons concerned 2


Risk assessment and action planning


Risk assessment involves analyzing risks to the rights and freedoms of the data subjects. I.e., the analysis of the risk is carried out from the perspective of the data subject and not the company. In the process, risks are identified and assessed. This is done in the risk management area of HITGuard. The identified risk situations - which largely correspond to the concept of risk used in the GDPR - can be linked to the DPIA here.

HITGuard decides on measures and controls to deal with the identified risk situations. These measures and controls are presented by the tool itself in the DPIA on the basis of the linked risk situations.


Risk assessment and action planning


Consultations


This item records whether the advice of the data protection officer has been sought and whether the data protection authority has been consulted.

Pursuant to Article 35 (2) of the GDPR, the controller must seek the advice of the data protection officer when carrying out a DSFA if a data protection officer has been appointed. This consultation or the result thereof or reasons for not carrying it out can and should be documented here.

If a DPIA shows that the processing would result in a high risk, then the controller must consult the supervisory authority before processing if it does not or cannot take measures to mitigate the risk. This step can also be documented here in HITGuard by recording the decision of the data protection authority or by referring to the DPIA report.

Consultations