DASTRA
English
FrançaisEnglishNederlands
English
FrançaisEnglishNederlands
  • What is Dastra
  • 🇪🇺USEFUL REMINDERS
    • What is GDPR ?
    • GDPR key concepts
      • Personal data
      • Record of processing activities (ROPA)
      • Privacy impact assessment
      • Data retention period
      • Data Subject Rights (DSR)
      • Privacy by design and by default
      • Security measures
      • Data breach notifications
    • Risk management
      • Definition of risks
      • Risk assessment
      • Vendor risk management
  • 🧑‍🎓GETTING STARTED
    • Setting up
      • Create and set up a workspace
      • Create and set up organizational units
      • Appointing a DPO
      • Add a lead authority
      • Invite users
      • Managing roles and permissions
      • Create and assign teams
      • Frequently asked questions
    • Tutorial
      • Step 1: Setting up
      • Step 2: Map your personal data processing and draw up a register
      • Step 3: Managing risks
      • Step 4: Prioritize actions
      • Step 5: Implement internal processes
      • Step 6: Document compliance
    • Support
      • The dastronaut's assistant
      • Online help
      • Request support
      • The customer support process
  • ⚙️Features
    • Dashboard
    • General
      • Advanced Filters
      • Import your data (Excel, Csv)
      • Tag management
      • Custom fields
      • AI Assistant
      • Email templates
    • Data Mapping
    • Record of processing activities
      • "Data controller" record
      • "Data processor" record
      • Establish your record
      • Export / import the record
      • Use a processing activity template
      • Declare a processing activity
      • Complete a data processing activity
        • General information
        • Stakeholders
        • Purposes
        • Dataset
        • Assets
        • Data subjects
        • Data subjects rights (DSR)
        • Recipients
          • Data transfers outside the EU
        • Security measures
        • Impact analysis
        • Documentation
      • Create relationships between processing activities
      • Processing freshness
      • Share the record of processing
      • Data visualization
        • View the treatment tree
        • View the record data map
        • View the transfers map
      • Frequently asked questions
    • Audits and DPIA
      • Create or modify an audit template or DPIA
      • Scheduling an audit or a PIA
      • Share an audit report or PIA
      • FAQ
    • Privacy hubs
      • Create a Privacy hub
      • Configure your Privacy hub
        • Homepage and general configuration
        • Questionnaires
        • Data subject requests
        • Record of processing activities
        • Attachments
        • Organizational chart
        • Contacts
        • Security
        • Appearance and design
      • Preview and share your privacy hub
      • Collecting data processing projects from a Privacy hub.
    • Contracts
      • Declare a Contract
      • Structure of a contract
      • Documents
      • Assets
      • Signers
      • Linked users
      • Sign the contract
      • Docusign integration
      • Contract versions
      • Contract templates
    • Risk management
      • Glossary of terms
      • Risk management process
        • 1. Identification
        • 2. Assess
        • 3. Monitor
        • 4. Control
        • Let's recap
      • Dastra / eBios RM comparison
      • Attach a risk to a processing activity
      • FAQ
    • Planning
      • Create your action plan
      • Create or modify a project or an iteration
      • Monitor, screen or export your tasks
      • Customise the task workflow
      • Share as calendar
      • Customise the task workflow
      • Go further with planning
      • FAQ
    • Data subject right request
      • Manage data subject right requests
      • Set up a data subject right request widget
      • Technical integration
      • API integration
    • Manage data breach notifications
      • Report a data breach
      • Export your data breach notifications
    • Manage cookies consent
      • Widget configuration
        • Preliminary study
        • Cookies scanning
        • Classify cookies by consent categories
        • The purposes of cookies
        • Implement a cookie consent widget
        • Collect proof of cookie consent
        • Go further on cookie consent
        • In case of unavailability
      • Technical integration
        • Functioning of the widget
        • Quick start
          • Wordpress
        • Language management
        • Test the integration of a widget
        • Blocking cookies
          • Blocking iframes (twitter/youtube...)
          • Google Tag Manager
        • Advanced Design
        • Manage consent programmatically
        • User identification
        • Mobile applications
          • Hybrid applications
          • Native applications
        • TCF 1.1/2.0
      • RGAA compliance
      • Breakdown service
    • Regular review (freshness)
    • Custom Reporting
      • Integration with data analysis tools (BI)
    • AI Systems
      • Establishing a record of AI systems
      • Risk analysis and business value
      • Transparency notice
      • AI Models repository
    • Advanced configuration
      • SCIM
      • Roles and permissions
      • Single Sign On (SSO)
        • SAML 2
        • OpenId
        • ADFS
        • Active Directory
        • Okta
        • Known problems
      • References
      • API key management
      • Notifications
      • Workflow steps / process flow
      • Incoming mail data collection
      • OneDrive/Google Drive integrations
      • Webhooks
      • SMTP configuration
      • Workflow rules
      • Message templates
      • Email domains
  • PARTNERS
    • Portal
  • 📄API documentation
    • Configuration
    • Authentication
    • API References
    • Integrations
      • Frequently asked questions
  • 🛡️Security
    • Security at Dastra
    • Security roadmap
    • Quality of Service
  • Certifications
  • 🤖Other
    • FAQ
    • Known problems
    • Changelog
  • Referentials
    • CNIL referentials
      • HR referential from CNIL
Propulsé par GitBook
Sur cette page
  • Introduction
  • The "Data controller" record
  • Actors
  • Purposes
  • Legal basis
  • Inventory of data and data subjects
  • Recipients and transfers of data outside the EEA
  • Security measures
  • For more information

Cet article vous a-t-il été utile ?

  1. Features
  2. Record of processing activities

"Data controller" record

Learn how to use Dastra's "Data controller" record.

Introduction

Article 30 of the GDPR sets out specific obligations for the personal data controller record and the data processor record. If your organization acts as both a processor and a controller, your record must therefore clearly distinguish between the two categories of activities.

In practice, in this case, the CNIL recommends that you keep 2 records:

  1. one for the processing of personal data for which you yourself are responsible,

  2. another for the processing operations that you carry out, as a data processor, on behalf of your clients.

The rest of this page deals only with the "Data controller" record.

The "Data controller" record

For each processing operation, the record of a controller shall indicate at least:

  1. where applicable, the name and contact details of the joint data controller of the processing operation

  2. the purposes of the processing, the objective for which you have collected the data

  3. the categories of data subjects (customer, prospect, employee, etc.)

  4. the categories of personal data (e.g. identity, family, economic or financial situation, banking data, connection data, location data, etc.)

  5. the categories of recipients to whom the personal data has been or will be communicated, including the data processors you use

  6. transfers of personal data to a third country or to an international organization and, in certain very specific cases, the guarantees provided for these transfers;

  7. the time limits for the erasure of the various categories of data, i.e. the retention period, or failing that the criteria for determining it

  8. to the extent possible, a general description of the technical and organizational security measures that you implement

Actors

  • The identity and contact information of the data controller

  • The identity and contact information of the DPO, if applicable

  • The identity and contact information of the representative, if applicable

  • The joint data controller(s), if applicable

Purposes

  • All purposes related to the activity involving the processing

Legal basis

  • Compliance with a legal obligation

  • Fulfillment of a contract

  • Legitimate interest of the company or a third party

  • Public interest

  • Consent

  • Safeguarding the vital interests of the data subject or another person

Inventory of data and data subjects

  • Type of data subjects

  • Categories of data

  • Time limits for deleting data or applicable rule

Recipients and transfers of data outside the EEA

  • Identification of recipients including internal recipients (department concerned by the processing); external bodies (commercial or institutional partners); data processors (host, solution provider); data subject where applicable and joint data controllers

  • For each recipient, identification of transfers outside the European Economic Area (EEA) and the legal tools used (Binding corporate rules in the case of transfers outside the EU with subsidiaries, standard contractual clauses, country recognized as adequate, etc.)

Security measures

  • Technical and organizational measures implemented to secure each data processing

  • For example, data encryption, pseudonymization, access limitation

You can change the type of processing activity (from one created as a data controller to one created as a processor, and vice versa) The procedure is available here

For more information

Dernière mise à jour il y a 4 mois

Cet article vous a-t-il été utile ?

⚙️
Establish your record
The different sections of a "data controller" treatment in Dastra