Template: List of Data Processing Activities with Data Protection Impact Assessment (DPIA)

Sven Piechottka
Updated April 27, 2024

Template Download

This is a free template, provided by OpenRegulatory.

If you are a user of Formwork, our eQMS software, you can save a lot of time by choosing “QMS” on the top menu and “OpenRegulatory Templates” on the left menu, and then opening the relevant folder to find this template ready to load into Formwork.

If, for some mysterious reason, you’re using a different QMS Software, you can also simply download this template – specifically, as Word (.docx), PDF, Google Docs or Markdown file. Scroll down for a preview!

The template license applies (don’t remove the copyright at the bottom, don’t re-use this for commercial purposes).

Lost In Regulation? We're here to help.

Unsure how to get started and how to get your EU MDR medical device certified?
We’ve already helped 100+ companies with their MDR compliance.
Take a look at our services and book a free 30-minute consulting call.

Services & Pricing
Template preview

List of Data Processing Activities

This template is supposed to give you an idea of the structure. Don’t use word – this is thought as an excel / sheets file. Think of the sub-sections below as different tabs in your excel sheet.

Disclaimer: data privacy documentation should usually be written in the official language of your EU member state. Most likely, you should translate this template accordingly. In German, people refer to this typically as the ‘Verzeichnis der Verarbeitungstätigkeiten’…

Data Processing Activities

Note that this tab should exist twice: one time for internal processing activities and one time for external ones. Internal processing refers to your internal data that third parties may process on your behalf (for example: your tax accountant, your cloud provider, providers of all the tools you use in your company). External processing refers to data of third parties that you process on their behalf (for example: customer data that is transferred to your servers to be analyzed by your brand-new AI algorithm).

Categories: ID – Controller – Controller Address – Controller Contact Details – Legal Basis – Processing Purpose – Category of Data – Data Subjects – Start Date of Processing – End Date of Processing – Processor – Processor Address – Processor Contact Details – Legal Basis – Threshold Analysis – DPIA – Description of TOMs – Deletion Period – Transfer to Third Countries – Safeguards – Commentary

Consider that you will have a ton more data processing activities than categories. Write your categories as columns and processing activities as rows (the table in this template is transposed (rows and columns flipped) due to formatting reasons).

CategoriesData Processing Example #1: Processing of Health Data by a Cloud Provider (Internal)Data Processing Example #2: Processing of Applicant Data by a Software Tool Provider (Internal)Data Processing Example #3: Processing of Health Data by Your Company as Clinical Decision-Support (External)(…)
ID123
ControllerExample GmbHExample GmbHBerlin-Based Example Customer
Controller AddressExample Street 123
10000 Berlin
Germany
Example Street 123
10000 Berlin
Germany
(…)
Controller Contact DetailsJohn Doe
[email protected]
John Doe
[email protected]
(…)
Legal BasisCommissioned Data Processing
(Art. 6 Sect. 1 lit. b) GDPR)
Pre-Contractual Measures
(Art. 6 Sect. 1 lit. b) GDPR)
Commissioned Data Processing
(Art. 6 Sect. 1 lit. b) GDPR)
Processing PurposeProvision of Cloud ServicesManagement of Applicant DataProvision of Decision-Support for Clinical Diagnoses
Category of DataPatient Data (e.g. DICOM image data and clinical information)Applicant Data (e.g. CV, cover letter, reference documents)Patient Data (e.g. DICOM image data and clinical information)
Data SubjectsPatients that undergo CT lung cancer screeningApplicants to Example GmbHPatients that undergo CT lung cancer screening
Start Date of Processing01.08.202101.01.202101.08.2021
End Date of ProcessingN/AN/AN/A
ProcessorBerlin-Based Example Cloud ProviderCalifornia-Based Example Software ProviderExample GmbH
Processor Address(…)(…)Example Street 123
10000 Berlin
Germany
Processor Contact Details(…)(…)John Doe
[email protected]
Legal BasisCommissioned Data Processing (Art. 6 Sect. 1 lit. b) GDPR)Commissioned Data Processing (Art. 6 Sect. 1 lit. b) GDPR)Commissioned Data Processing (Art. 6 Sect. 1 lit. b) GDPR)
Threshold AnalysisAcceptableAcceptableN/A
DPIAN/AN/AN/A
Description of TOMsEntry Control: locked building, documented key assignment (..)
Access Control: central password authentication incl. 2FA (…)
Usage Control: role-based authorization (…)
Availability: uninterrupted power supply, continuous backups (…)
(…)
(…)(…)
Deletion Period30 days after data ingestion6 months30 days after data ingestion
Transfer to Third CountriesNoUnited States of America (USA)No
SafeguardsN/AEU Model Contract ClausesN/A
CommentNote that after ECJ Schrems II ruling, model contract clauses alone are not sufficient to safeguard data transfer to the U.S.

Threshold Analysis and Data Protection Impact Assessment

Note that it is the responsibility of the controller to carry out a DPIA (Art. 35 GDPR)

Optionally, you can split this section into two separate tabs.

Reasoning: whenever a risk is deemed acceptable in a previous section, the documentation ends right there. For example, if the overall severity and probability of a risk are deemed acceptable, you don’t have to dive into further evaluation criteria of the next section or let alone start the DPIA for this risk. Sections are shown in the text below in brackets – use different formatting when you adopt this template).

As part of your DPIA, you typically analyze several risk causes. More risk examples are listed in the risk methodology section.

Categories TA: (Risk Identification) – Processor – Processing Purpose – Risk Cause – Risk Description – (Initial Risk Assessment) – Severity – Probability – Assessment – (Further Evaluation Criteria: Special Processing) – Processing large quantities of personal data – Processing affects a large number of people – Use of new technologies – Processing hampers the exertion of data subject rights – Processing hampers the use of services or exertion of contracts for data subjects – Processing of data of vulnerable persons – (Further Evaluation Criteria: Automated Decision-Making) – By systematic assessment of personal characteristics based on profiling – By processing special categories of personal data – (Responsible data protection authority deemed processing high-risk)

Categories DPIA: Planned additional measures – (Re-Evaluation) – Severity after measures – Probability after measures – New assessment – (Implementation) – Responsible – Status – Date of Implementation – Notification of Authorities

CategoriesData Processing Example #1: Processing of Health Data by a Cloud Provider (Internal)Data Processing Example #2: Processing of Applicant Data by a Software Tool Provider (Internal)(…)
Threshold Analysis
Risk Identification
ProcessorBerlin-Based Example Cloud ProviderCalifornia-Based Example Software Provider
Processing PurposeProvision of Cloud ServicesManagement of Applicant Data
Risk CauseUnauthorized accessUnauthorized access
Risk DescriptionSensitive patient data could be identified by third-parties, leading to a risk of identity theftApplicant data could be identified by third-parties, leading to a risk of identity theft
Initial Risk Assessment
SeverityS4S3
ProbabilityP2P2
AssessmentUnacceptableAcceptable
Further Criteria: Special Processing
Processing large quantities of personal dataNo
Processing affects large numbers of peopleNo
Use of new technologiesNo
Processing hampers the exertion of data subject rightsNo
Processing hampers the use of services or exertion of contracts for data subjectsNo
Processing of data of vulnerable personsNo
Further Criteria: Automated Decision-Making (ADM)
ADM by systematic assessment of personal characteristics based on profilingNo
ADM by processing special categories of personal dataNo
Responsible Data Protection Authority deems processing high-riskNo
Data Protection Impact Assessment
Planned additional measures
Re-Evaluation
Severity after measures
Probability after measures
New assessment after measures
Implementation
Responsible Role
Status of Implementation
Date of Implementation
Notification to Authorities
Comment

Risk Methodology

This field should provide the taxonomy and an overview of the possible categories of content entered in the previous tabs.

Possible categories of risk:

  • Data loss (availability)
  • Unauthorized access (confidentiality)
  • Unauthorized modification (integrity)
  • Non-compliance (e.g. not deleting data)

Categories of data processed by the company:

  • Employee data
  • Customer data (of commercial partners)
  • User data (of employees of partners)
  • Patient data
Degree of SeveritySocial Damage (e.g. discrimination, loss of reputation)Financial DamageIdentity theftMortal DangerDisclosure of Secrets
S1: LowNo or minor societal or economical disadvantages in daily lifeIn the scope of a one month salary
S2: Rather LowSocietal or economical disadvantages can be noticed and lead to minor restrictions in daily lifeIn the scope of several months of salary
S3: Rather highImplications for an entire part of daily life for a person affected (e.g. work place / professional environment)In the scope an annual salaryDisclosure of secrets has implications for a part of life of a person affected
S4: HighMajor disadvantages for an affected person across all fields of life (e.g. job loss or implications for personal surrounding)Loss of all financial meansIdentity theftMortal dangerGeheimnisoffenbarung hat Auswirkungen auf das gesamte Leben des Betroffenen.
Probability of OccurrenceFuture EstimatePast Estimate
P1: NeverEvent is unimaginableEvent has never occurred
P2: SeldomEvent may on average occur once every 10 yearsEvent has never occurred or more than 10 years ago
P3: Rather unlikelyEvent may on average occur every 5-10 yearsEvent has occurred in the last 5-10 years
P4: Rather likelyEvent may on average occur every 1-5 yearsEvent has occurred in the last 1-5 years
P5: FrequentlyEvent occurs at least once per yearEvent has occurred in the last year

Note: fields that are marked red symbolize a combined severity and probability that is unacceptable, yellow fields are acceptable.

S1: LowS2: Rather LowS3: Rather HighS4: High
P5: FrequentlyS1P5 (yellow)S2P5 (red)S3P5 (red)S4P5 (red)
P4: Rather likelyS1P4 (yellowS2P4 (red)S3P4 (red)S4P4 (red)
P3: Rather unlikelyS1P3 (yellow)S2P3 (yellow)S3P3 (red)S3P3 (red)
P2: SeldomS1P2 (yellow)S2P2 (yellow)S3P2 (yellow)S4P2 (red)
P1: NeverS1P1 (yellow)S2P1 (yellow)S3P1 (yellow)S4P1 (yellow)

Template Copyright openregulatory.com. See template license.

Please don’t remove this notice even if you’ve modified contents of this template.

Template preview