Modelo de auditoríaData processing creation questionnaire

Indicate the name of the data processing operation. In practice, the processing corresponds to the activity involving the implementation of one or more data processing operations. For example, customer management or event management. Find out more about our knowledge base.

Describe your data processing

The processing state corresponds to the implementation state of your data processing within your organisation. Tip: only publish processes that have been put into production.

This information, which is not mandatory for keeping the register, enables you to map the application chain linking the data together.

Select the personal data fields that will be included in your dataset

Indicate here the retention periods applicable to this data set.

Indicate here the retention periods applicable to this data set.

Indicate here the retention periods applicable to this data set.

A data subject is any person whose data is collected, retained or processed by the data processing in question.
Ex: In the context of recruitment management processing, any candidate for the post concerned constitutes a data subject.

The right to information is the practical expression of the transparency required by the RGPD. You must inform the persons concerned by the processing when the data is collected or, in the case of indirect collection, within one month of collection or when the data is first communicated.

The right to erasure allows the concerned individual to request the deletion of data related to them. This right does not apply if the processing is based on public interest or a legal obligation. When your processing is based on a legal obligation, the right to erasure may apply if the processing meets the following conditions:

• Personal data is no longer necessary for the purposes for which it was collected or processed in another way

• Or personal data has been unlawfully processed

• Or personal data must be erased to comply with a legal obligation provided for by EU law or the law of the Member State to which the data controller is subject.

For example, an analysis of the uses of Internet users in order to create behavioral or marketing profiles.

Automated decision making with legal or similar significant effect, or processing that aims at taking decisions on data subjects producing legal effects concerning the natural person or which similarly significantly affects the natural person

Processing used to observe, monitor or control data subjects. personal data may be collected in circumstances where data subjects may not be aware of who is collecting their personal data and how they will be used. Additionally, it may be impossible for individuals to avoid being subject to such processing in public (or publicly accessible) space(s). For example, tracking or observing individuals’ location or behaviour.

Sensitive data, this includes special categories of data as defined in Article 9 GDPR (for example information about individuals’ political opinions), as well as personal data relating to criminal convictions or offenses. It also includes data which may more generally be considered as increasing the possible risk to the rights and freedoms of individuals, such as electronic communication data, location data, financial data (that might be used for payment fraud).

There is no threshold applicable. You must take into account the number of data subjects concerned, either as a specific number or as a proportion of the relevant population, the volume of data and/or the range of different data items being processed, the duration, or permanence, of the data processing activity and the geographical extent of the processing activity

Combining, linking or cross-referencing separate datasets where such linking significantly contributes to or is used for profiling or behavioural analysis of individuals, particularly where the data sets are combined from different sources where processing was/is carried out for difference purposes or by different controllers.

Taking account of the increased power imbalance between the data subject and the data controller, meaning the individual may be unable to consent to, or oppose, the processing of his or her data. For example, data from employees when it is linked to human resources management, or children, mentally ill, asylum seekers, the elderly, a patient, or in any case where a power imbalance in the relationship between the position of the data subject and the controller can be identified.

The personal and social consequences of the deployment of a new technology may be unknown. For example, certain ‘Internet of Things’ applications could have a significant impact on individuals’ daily lives and privacy.

When the processing in itself “prevents data subjects from exercising a right or using a service or a contract”. An example of this is where a bank screens its customers against a credit reference database in order to decide whether to offer them a loan.