Start with a Template

NiōBase provides a number of templates for your processing activities (cf. Article 30 GDPR). To start with a template, click on "Processing Activities" in the menu under "GDPR tools". Select the templates in the top right corner that are suitable for you and change the status to “Draft” or “In Examination”. If there is no template for the edit required, you can create a new one. Give your processing a descriptive name. An example of this would be "Payroll Accounting Data Transfer to Tax Consultant."

The system automatically issues a unique and consecutive number (“ID”) for each new processing activity.

Using the 'Edit Icon' in the top right hand corner and 'Highlighting' (selected) and using the 'Copy' function, you can copy and re-create one or more processing activities.

Caution
The European Data Protection Commission stipulates the need for a history for the management of the Records of Processing Activities (RoPA). Therefore, you are not allowed to simply delete processings used or applied once in the RoPA. Once you have created, adapted and activated new processing, you can set the old one to “inactive”. You can historically prove the period of use via the date setting “Valid from” and “Valid to”.

Now create a new processing activity (PA) or edit an existing one (your own or from the template). While editing a PA, start with all entries in the left column and then move on with the the entries in the right column.

Creating a Processing Activity – Part 1

1. Firstly, you should select the status for your processing activity: Active, Draft, Inactive, In Implementation, Template.

2. Specify a time frame, if the processing activity is or was limited. Leave the default settings for an on-going PA.

3. Assign the PA to a department (e.g. PA Payroll accounting of the accounting department).

4. Ordnen Sie die VT einer Abteilung zu (z.B. die VT Lohnverrechnung der Abteilung Buchhaltung).

5. Purposes of the processing:
 Start by defining your PA: The query will change depending on the data collection source and the selection made. Follow these instructions - it is a managed process. For example, each process can have several different creations.



6. Specify the controller. In doing so, it must be a “Controller” as defined in the GDPR. E.g. managing director, owner.

7. Here you can specify who within the company or among the processors (AV) has access to this PA from the point of view of the GDPR (Is not related to system authorisations).

8. You do not need to make a selection if you do not require a risk analysis or a data protection impact assessment. Coordinate with your DPO.

Creating a Processing Activity – Part 2

1. Setting retention and storage periods:
 Look at the following description


.

2. Categories of data subjects: There may be several processing groups e.g. customers and employees.

3. Lawfulness of processing:
 More than one legal basis may be applicable for a specific PA.



4. If you do not need to perform a risk assessment, please state your reason here.

5. Enter any mandatory information.

Creating a Processing Activity – Part 3

Depending on the system configuration, you can upload documents via the document management system or access them on the external system (e.g. Sharepoint, Visio).

Caution
Under 'Categories' and 'Storage Periods', please check whether all the necessary retention and storage periods are published. NiōBase provides a series of retention and storage periods for Austria. This is only possible to a limited extent for other countries because the countries do not provide them in a collective manner. If you have any queries about this, please contact your data protection officer, law firm or chamber.

The standard of processing activities provided by NiōBase have specified Austrian retention and storage periods, which are similar to those from German to some extent. Please adjust them in the settings.

For countries other than Austria, retention and storage periods are set up during the creation of an account which are only required for the processing activities. Therefore do not delete them, rather give them another name and adapt them.

Please create any other retention and storage periods you may require.