DASTRA
English
English
  • What is Dastra
  • 🇪🇺USEFUL REMINDERS
    • What is GDPR ?
    • GDPR key concepts
      • Personal data
      • Record of processing activities (ROPA)
      • Privacy impact assessment
      • Data retention period
      • Data Subject Rights (DSR)
      • Privacy by design and by default
      • Security measures
      • Data breach notifications
    • Risk management
      • Definition of risks
      • Risk assessment
      • Vendor risk management
  • 🧑‍🎓GETTING STARTED
    • Setting up
      • Create and set up a workspace
      • Create and set up organizational units
      • Appointing a DPO
      • Add a lead authority
      • Invite users
      • Managing roles and permissions
      • Create and assign teams
      • Frequently asked questions
    • Tutorial
      • Step 1: Setting up
      • Step 2: Map your personal data processing and draw up a register
      • Step 3: Managing risks
      • Step 4: Prioritize actions
      • Step 5: Implement internal processes
      • Step 6: Document compliance
    • Support
      • The dastronaut's assistant
      • Online help
      • Request support
      • The customer support process
  • ⚙️Features
    • Dashboard
    • General
      • Advanced Filters
      • Import your data (Excel, Csv)
      • Tag management
      • Custom fields
      • AI Assistant
      • Email templates
    • Data Mapping
    • Record of processing activities
      • "Data controller" record
      • "Data processor" record
      • Establish your record
      • Export / import the record
      • Use a processing activity template
      • Declare a processing activity
      • Complete a data processing activity
        • General information
        • Stakeholders
        • Purposes
        • Dataset
        • Assets
        • Data subjects
        • Data subjects rights (DSR)
        • Recipients
          • Data transfers outside the EU
        • Security measures
        • Impact analysis
        • Documentation
      • Create relationships between processing activities
      • Processing freshness
      • Share the record of processing
      • Data visualization
        • View the treatment tree
        • View the record data map
        • View the transfers map
      • Frequently asked questions
    • Audits and DPIA
      • Create or modify an audit template or DPIA
      • Scheduling an audit or a PIA
      • Share an audit report or PIA
      • FAQ
    • Privacy hubs
      • Create a Privacy hub
      • Configure your Privacy hub
        • Homepage and general configuration
        • Questionnaires
        • Data subject requests
        • Record of processing activities
        • Attachments
        • Organizational chart
        • Contacts
        • Security
        • Appearance and design
      • Preview and share your privacy hub
      • Collecting data processing projects from a Privacy hub.
    • Contracts
      • Declare a Contract
      • Structure of a contract
      • Documents
      • Assets
      • Signers
      • Linked users
      • Sign the contract
      • Docusign integration
      • Contract versions
      • Contract templates
    • Risk management
      • Glossary of terms
      • Risk management process
        • 1. Identification
        • 2. Assess
        • 3. Monitor
        • 4. Control
        • Let's recap
      • Dastra / eBios RM comparison
      • Attach a risk to a processing activity
      • FAQ
    • Planning
      • Create your action plan
      • Create or modify a project or an iteration
      • Monitor, screen or export your tasks
      • Customise the task workflow
      • Share as calendar
      • Customise the task workflow
      • Go further with planning
      • FAQ
    • Data subject right request
      • Manage data subject right requests
      • Set up a data subject right request widget
      • Technical integration
      • API integration
    • Manage data breach notifications
      • Report a data breach
      • Export your data breach notifications
    • Manage cookies consent
      • Widget configuration
        • Preliminary study
        • Cookies scanning
        • Classify cookies by consent categories
        • The purposes of cookies
        • Implement a cookie consent widget
        • Collect proof of cookie consent
        • Go further on cookie consent
        • In case of unavailability
      • Technical integration
        • Functioning of the widget
        • Quick start
          • Wordpress
        • Language management
        • Test the integration of a widget
        • Blocking cookies
          • Blocking iframes (twitter/youtube...)
          • Google Tag Manager
        • Advanced Design
        • Manage consent programmatically
        • User identification
        • Mobile applications
          • Hybrid applications
          • Native applications
        • TCF 1.1/2.0
      • RGAA compliance
      • Breakdown service
    • Regular review (freshness)
    • Custom Reporting
      • Integration with data analysis tools (BI)
    • AI Systems
      • Establishing a record of AI systems
      • Risk analysis and business value
      • Transparency notice
      • AI Models repository
    • Advanced configuration
      • SCIM
      • Roles and permissions
      • Single Sign On (SSO)
        • SAML 2
        • OpenId
        • ADFS
        • Active Directory
        • Okta
        • Known problems
      • References
      • API key management
      • Notifications
      • Workflow steps / process flow
      • Incoming mail data collection
      • OneDrive/Google Drive integrations
      • Webhooks
      • SMTP configuration
      • Workflow rules
      • Message templates
      • Email domains
  • PARTNERS
    • Portal
  • 📄API documentation
    • Configuration
    • Authentication
    • API References
    • Integrations
      • Frequently asked questions
  • 🛡️Security
    • Security at Dastra
    • Security roadmap
    • Quality of Service
  • Certifications
  • 🤖Other
    • FAQ
    • Known problems
    • Changelog
  • Referentials
    • CNIL referentials
      • HR referential from CNIL
Propulsé par GitBook
Sur cette page
  • Lawful basis for processing
  • Consent
  • Contract or pre-contractual measures
  • Legal obligation
  • Safeguarding vital interests
  • Public interest mission
  • Legitimate interests

Cet article vous a-t-il été utile ?

  1. Features
  2. Record of processing activities
  3. Complete a data processing activity

Purposes

Enter the purposes of the data processing here.

Dernière mise à jour il y a 2 ans

Cet article vous a-t-il été utile ?

A purpose is the objective pursued by the creation of your file. It indicates what the processing of personal data will be used for, its raison d'être. This objective must be clear and understandable.

The definition of the purpose is fundamental because it is a prerequisite for the other elements framing the processing such as the data retention period, the adequacy, the relevance, the proportionality of the data as well as the accuracy and the updating of the data.

provides that the purpose must be determined, explicit and legitimate.

The purpose must be determined: the purpose must be defined with sufficient precision to adapt the necessary data protection guarantees and in order to define the scope of data processing. The level of detail required depends on the particular context of the data collection and the data involved. Sometimes simple language will be enough. For example, a local family business will not require the same level of detail to describe the purpose of the customer file as for a multinational using complex algorithms allowing personalized offers and targeted advertising. The purpose must be determined before the processing is carried out.

The purpose must be explicit: the purpose must not be ambiguous and must be clearly expressed.

The purpose must be legitimate: legitimacy refers to the legal basis on which the data processing required by is based.

This notion also requires finality not to contravene the law in general. For example, the purpose will not be legitimate if it leads to discrimination prohibited by the penal code. We can take into account labor law, consumer law or contract law in particular.

In addition, it is necessary to take into account the context of the processing in order to assess the legitimacy and, in particular, the reasonable expectations of the data subject.

A processing activity can have several purposes. For example, the “recruitment” activity could have two distinct purposes: the analysis of applications and the management of interviews, as well as the creation of a CV-library.

For each purpose, you must define the applicable . There can only be one legal basis per purpose. The choice of this legal basis must be made according to the context of the processing.

Lawful basis for processing

There are 6 possible lawful basis for data processing.

Consent

Consent must meet four criteria for processing to be lawful: it must be

  • free,

  • specific,

  • informed and

  • unambiguous.

It must be as easy to give as to withdraw. You must document proof that consent is validly obtained. You can do this by attaching a description of the consent process to the treatment (step 11).

Contract or pre-contractual measures

The legal basis of the contract must meet three criteria to be valid: there must be

  • a contractual or pre-contractual relationship between the controller and the data subject;

  • the contract must be valid under the applicable law and

  • the processing must be objectively necessary for the performance of the contract.

The right to object cannot be exercised on this processing based on this legal basis and the right to data portability can be exercised on this processing. You can add the contract on which you are basing the processing in the attachments in step 11.

Legal obligation

The legal obligation must be

  • imperative,

  • sufficiently clear and precise to provide a valid basis for processing.

The texts creating this obligation must at least define the purpose of the processing. The obligation must be imposed on the controller and not on the data subjects. You must detail the text that imposes the processing (for example, an article of law).

Safeguarding vital interests

The safeguarding of vital interests is limited to situations that threaten the life of the person concerned or of another natural person. The most obvious application is the situation where a person is the victim of an accident and, being seriously injured, is admitted to a hospital while unconscious and isn't in a condition to give consent for the processing of his or her data for treatment. This basis must be interpreted strictly and used only if consent cannot be sought.

Public interest mission

The performance of a task in the public interest or in the exercise of public authority. The use of this legal basis is justified in particular for processing operations implemented by public authorities for the purpose of carrying out their missions.

Two conditions are necessary:

  • the processing must allow the relevant and appropriate exercise of the task entrusted to the public authority and must not have another purpose that is unrelated or too far removed from the specificities of the public interest task in question.

  • The public interest must be defined in the law and cannot be presumed.

You will need to detail the public interest purpose that requires the processing.

Legitimate interests

The legitimate interests of the controller or a third party.

This legal basis cannot be invoked by public bodies in the context of their mission and must meet 3 conditions:

  • the interest pursued must be legitimate, that is, lawful (legal), clear and precise and real (not fictitious);

  • the processing must be necessary to achieve the objective and therefore it must be the least intrusive means;

  • and finally, the processing must not exceed the rights and freedoms of the data subjects, taking into account their reasonable expectations.

A balancing test must be carried out, for example with a proportionality test.

You can keep the results of this test as a document in step 11. You will also need to detail the legitimate interests invoked (e.g. security of the computer network or the fight against fraud).

⚙️
Article 5 1. b) of the GDPR
article 6 of the GDPR
legal basis