In order to create your data processing, you need to complete various requested information. Let's take the example of a personal data treatment that has for purpose direct marketing to prospects, and we will go through the steps that you will have to complete to create a data processing within minutes.
1- Purpose of the treatment
You have to choose the purpose of the treatment you are about to conduct, in our example, the purpose is General direct marketing.
We have pre-integrated in the Didomi console purposes of most common treatments but you can also add a new type of purpose which better fits the goal of the treatment you wish to perform.
To do so, click on "NEW PURPOSE+", enter the new purpose and hit "SAVE".
2- People concerned by the treatment
Add the persons of whom you are collecting the data. For instance, for a General direct marketing to prospects treatment, you are collecting prospects data, you then select Prospects.
Here again, if you wish to create a new category of people, click on NEW PERSON+, enter the new category and then hit SAVE.
3- Category of processed data
To add a data category, click on ADD NEW TYPE OF DATA.
You will then have 4 fields to fill:
A- Categories of processed data (1)
Data categories correspond to the type of users' data you collect. For instance, identity data and contact details, login credentials, litigation data, etc.
We have established a list of data categories taking into account most common treatments that are realized, but you can also create your own category by clicking on +ADD A NEW CATEGORY OF DATA:
For a General direct marketing to prospects treatment, usually involving sending emails, you can for example select "Identity and contact".
B- External sources (2)
External sources are the entities that supply you with persons' data. You have to fill this field as soon as the data that you collect is coming from another source then the person himself/herself.
You can create your own external source by clicking on the + and Add new partner.
First of all, enter the name of your partners. Then select the category to which your partner belongs to (subsidiary or service provider for example).
Then enter the country and the type of protection. If your partner is based in the European Union you do not need to fill the type of protection field.
Also add the address of the company's headquarters as well as an email address or a contact's phone number (preferably the DPO's or a privacy address).
Also include the link leading to specific clauses regarding personal data (DPA for data processing agreement), they are clauses that contractualise relationships between a service provider (subcontractor) and his clients (data controller).
And finally, you will sometimes find a list of subcontractors with whom your partner works (subcontractors are required by the GDPR to inform the managers of the subcontractors with whom they work): you can enter the link in the field "List of Subcontractors".
C- Recipients (3)
Recipients are entities to which personal data is transferred or made available. You can create your own recipient if you can't find it in the list. To do so, click on Add a new partner, under the "Recipients" column.
Steps will be the same as the ones juste above when you create an external source. Note that a same entity can be both a recipient (you send her emails for example) and an external source (she sends you back additional information), it will then have to be mentioned in both columns.
D- Data retention time (4)
Data retention time corresponds to the amount of time you store and keep data that you collected.
Data retention time must be defined when you create a new treatment. Retention time varies and depends on the type of data being collected and well as intended purposes. CNIL gives recommandations on these subjects : for example, a prospect's contact details must be deleted if he hasn't answered any solicitation in three years.
4- Legal basis
Article 6 of GDPR states that an entity can process personal data only in some cases, all involving a necessity: it is the legal basis of the treatment. In order to add a legal basis to your treatment, click on "Legal basis" and choose an option in the drop-down menu. You can also add details regarding your legal basis.
You can perform processing based on:
A. The need to execute a contract for which the person is concerned or the need for pre contractual measures taken at the request of this person (for example a delivery address).
B. The need to comply to a legal obligation
C. The need to safeguard vital interests of the person in question or another natural person (for exemple, his/her name for a hospitalization)
D. The need to execute a mission of public interest or relevant to the exercice of public authority of which the person in charge is invested (for example: fiscal situation by the Tax Agency)
E. The need for the purpose of legitimate interest done by the data controller or by a third-party, unless interests or freedom and fundamental rights of the person prevails (login information for statistical purposes)
In the absence of such needs, the person in question, the person must consent explicitly (positive action).
In some cases, possibilities of processing data can be even more restricted:
- Article 9 of GDPR indicates the cases in which sensitive data can be processed,
- Article 10 of GDPR states the cases in which data relating to infringements can be processed,
- Article 22 of GDPR indicates in which cases data can be collected when it comes to taking au automated decision having either a legal or significant impact on a person,
- E privacy legislation states the cases in which data can be processed when it comes to data linked to electronic communications.
We have classified these legal bases according to these situations. For instance, if you process sensitive data, you will have access to the legal bases that are possible for this specific data processing.
For General direct marketing to prospects, you can select the legal basis "consent" in the non-sensitive data category. More information about direct marketing here: https://www.cnil.fr/fr/la-prospection-commerciale-par-courrier-electronique.
5- Security measures and impact assessment
A. Security measures
Article 32 of GDPR stipulates that the database officer is bound to an obligation to provide security: he must take necessary measures in order to guarantee data security and avoid disclosure to unauthorized third parties (for example, pseudonymization and encryption of personal data; means to guarantee confidentiality, integrity, availability, constant resilience of systems and processing services; means to restore the availability of personal data and access to them in appropriate time limits in case of physical or technical incident; a procedure which goal is to regularly test, analyse, and assess the efficiency of technical and organizational measures to guarantee the security of the treatment, etc.)
Article 30 of GDPR recommends that, for every treatment, as far as possible, a general description must be given with technical and organizational measures that were implemented under the duty of this article. To add a new security measure, click on the drop-down menu underneath "SECURITY MEASURES".
We have established a list of most common security measures . You can add some by clicking on NEW SECURITY MEASURE+.
B. Impact assessment (PIA)
Article 35 of GDPR provides for an impact assessment on data protection (PIA or Privacy Impact Assessment), when a personal data processing is likely to create high risks for the people in question in terms of law and freedom.
We have established a list where we indicate when a PIA is recommended, imposed or not necessary (based on the recommandations of G29).
If you wish to read more information on impact assessment, click here: https://www.cnil.fr/en/privacy-impact-assessment-pia
CNIL also offers a software that allows you to carry out your PIAs, you can download it here : https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assesment
For a treatment such as General direct marketing for prospects for which you collect identity and contact data, a PIA will not be necessary except in exceptional circumstances.
6- Overall retention time
The last step is to indicate an overall retention time, that will appear in your Privacy Center for the people concerned.
When data that you collect does not have the same retention time within the same treatment, it is recommended to put down the longest retention time in order to never display false information to the user.
For a General direct marketing for prospects treatment, the CNIL recommends to indicate a retention time of three years, starting from the day of the last contact with the prospect.
When you click on settings, you have access to all types of data, external sources, recipients, persons, purposes, data categories and security measures that you have created for your various treatments. You can add some as well as edit or delete some.
Once you are done setting your treatment, you can save it by clicking on SAVE & VALIDATE in the bottom right of your screen.