Data categories

Data categories are used to categorize data for use in HITGuard. For example, there is a data category Employee Data, which lists contact data, bank data or contract data of the employee as a subcategory.

The data categories can be viewed in the structural analysis in which applications, via which processing activities and in which departments they are processed.

Under "Administration → Data Categories" you can manage the data categories as an admin or expert.=

To create a data category, click the "Plus" button in the overview.

To edit a data category, double-click the corresponding category.

Name: The name of the category e.g.: application documents, customer data, or personnel data.

Description: Used to describe the content of a data category e.g. insert image of the mask

Parent data-category: Used for hierarchical structuring of the data categories

Data class: Determines whether data in a category is public, internal, or to be handled as secret. These classes are freely definable by experts across systems (see Data classes).

Time limit for erasure:

Defines the erasure time limit that is set by default when this data category is selected, e.g. in data protection for processing activities.

Only erasure time limits created in the "Time limits for erasure" item are available for selection.

Time limit for erasure inheritance:

This option is only available when the erasure time limit is set.

Determines the behavior of data categories that have this data category as parent.

• None:

none of the child data categories adopt this erasure time limit.

• To all:

All child data categories adopt this erasure time limit regardless of whether they already have an erasure time limit set or not.

• If no erasure time limit is set:

All subordinate data categories that do not yet have an erasure time limit adopt this erasure time limit.

Data source:

Data categories often stem from single, known sources, e.g., from the data subjects themselves. Record a standardized data source here, which will automatically be taken over in processing activities. It can afterwards be manually modified in individual processing activities.

Person in charge: That user who is responsible for handling the data in the given category. When creating a new data category, the responsible of the selected parent category is automatically filled in, unless you have already entered a new responsible directly in the category. They can also be changed manually.

Can be used for:

Protection needs analysis:

• Creates an overview of what impact it will have on your business if something happens to this data (e.g. hard drive with customer data is stolen).

Personal:

• Personal data categories are important for the data protection module as they can be sensitive and are handled in processing activities.

Risks: All risks of the data category are listed here. It is not possible to assign risks here. More about risks can be found here.

Delete data category: To delete in the edit screen, click on the red trash can.

Same as for resources. More about this here.

Time limits for erasure indicate the maximum period for which data of a data category may be retained. This has become more important in recent years due to the GDPR. For this reason, deletion periods can be managed in HITGuard under "Administration → Data categories | Deletion periods".

These time limits for erasure can be assigned to data categories, which means that, for example, the assigned time limit for erasure is automatically set for processing activities. Of course, this can be changed in the processing activity if necessary without affecting this time limit for erasure.

Caution:
Changes to a time limit for erasure do not affect processing activities that have already been created!

By clicking on the "Plus" button in the overview, a new time limit for erasure can be created.

By double-clicking an already existing time limit for erasure, it can be edited.

To delete a time limit for erasure, open an existing one and then click the red "Trash can" button.

Name: The name with which the time limit for erasure appears.

Description: A textual description of the time limit for erasure can be entered here. This could be, for example, the legal text with which the time limit for erasure deals.

Reason: A reason for the time limit for erasure can be recorded here, such as a reference to a law. This reason is automatically filled in in processing activities.

Time limit for erasure: Here, the maximum retention period is specified, i.e. the time after which the data must be deleted.

When determining time limits for erasure, statutory retention periods from tax law, commercial law, labor law or other legal provisions must be observed.

For Austria, the WKO (Austrian Federal Economic Chamber) has compiled a clear summary of the most common retention periods from the applicable legal provisions: here

For data processed in Germany, some service providers, especially data disposal service providers, have taken on the task of compiling an overview of common retention periods.

However, since errors cannot be ruled out, we recommend that you always check the respective legal regulation in its currently valid version to determine the actual retention periods, or compare it with the information collected on the retention period.