"Data controller" record

Learn how to use Dastra's "Data controller" record.

Introduction

Article 30 of the GDPR sets out specific obligations for the personal data controller record and the data processor record. If your organization acts as both a processor and a controller, your record must therefore clearly distinguish between the two categories of activities.

In practice, in this case, the CNIL recommends that you keep 2 records:

one for the processing of personal data for which you yourself are responsible,
another for the processing operations that you carry out, as a data processor, on behalf of your clients.

The rest of this page deals only with the "Data controller" record.

The "Data controller" record

For each processing operation, the record of a controller shall indicate at least:

where applicable, the name and contact details of the of the processing operation
the purposes of the processing, the objective for which you have collected the data
the categories of data subjects (customer, prospect, employee, etc.)
the categories of personal data (e.g. identity, family, economic or financial situation, banking data, connection data, location data, etc.)
the categories of recipients to whom the personal data has been or will be communicated, including the data processors you use
transfers of personal data to a third country or to an international organization and, in certain very specific cases, the guarantees provided for these transfers;
the time limits for the erasure of the various categories of data, i.e. the retention period, or failing that the criteria for determining it
to the extent possible, a general description of the technical and organizational security measures that you implement

Actors

The identity and contact information of the data controller
The identity and contact information of the DPO, if applicable
The identity and contact information of the representative, if applicable
The joint data controller(s), if applicable

Purposes

All purposes related to the activity involving the processing

Legal basis

Compliance with a legal obligation
Fulfillment of a contract
Legitimate interest of the company or a third party
Public interest
Consent
Safeguarding the vital interests of the data subject or another person

Inventory of data and data subjects

Type of data subjects
Categories of data
Time limits for deleting data or applicable rule

Recipients and transfers of data outside the EEA

Identification of recipients including internal recipients (department concerned by the processing); external bodies (commercial or institutional partners); data processors (host, solution provider); data subject where applicable and joint data controllers
For each recipient, identification of transfers outside the European Economic Area (EEA) and the legal tools used (Binding corporate rules in the case of transfers outside the EU with subsidiaries, standard contractual clauses, country recognized as adequate, etc.)

Security measures

Technical and organizational measures implemented to secure each data processing
For example, data encryption, pseudonymization, access limitation

For more information

Dernière mise à jour il y a 4 mois

Cet article vous a-t-il été utile ?

Introduction

In practice, in this case, the CNIL recommends that you keep 2 records:

one for the processing of personal data for which you yourself are responsible,

another for the processing operations that you carry out, as a data processor, on behalf of your clients.

The rest of this page deals only with the "Data controller" record.

The "Data controller" record

For each processing operation, the record of a controller shall indicate at least:

where applicable, the name and contact details of the of the processing operation

the purposes of the processing, the objective for which you have collected the data

the categories of data subjects (customer, prospect, employee, etc.)

the categories of personal data (e.g. identity, family, economic or financial situation, banking data, connection data, location data, etc.)

the categories of recipients to whom the personal data has been or will be communicated, including the data processors you use

transfers of personal data to a third country or to an international organization and, in certain very specific cases, the guarantees provided for these transfers;

the time limits for the erasure of the various categories of data, i.e. the retention period, or failing that the criteria for determining it

to the extent possible, a general description of the technical and organizational security measures that you implement

Recipients and transfers of data outside the EEA

Identification of recipients including internal recipients (department concerned by the processing); external bodies (commercial or institutional partners); data processors (host, solution provider); data subject where applicable and joint data controllers

For each recipient, identification of transfers outside the European Economic Area (EEA) and the legal tools used (Binding corporate rules in the case of transfers outside the EU with subsidiaries, standard contractual clauses, country recognized as adequate, etc.)