Personal Data Analysis Diagram
Process Narrative: The Website Sale process starts with a customer visiting our website, choosing a product and going through checkout. The customer provides contact details and credit card information and their IP address is recorded automatically by the website. Credit card details are checked and stored at the Payment Processor, order details are stored on the Web Server and interfaces send the customer name and email address to a Review Website and a Mailing website for later use.
Project or Business Process:
Version:
Dated:
Author:
Website Sale Version 1 [dd/mm/yyyy] A.N. Other
Web server Access controls Two factor authentication for admin accounts Retention period 7 years Level of data subject access Can be updated via portal Encryption level None Country stored in Germany Location type Electronic Customer name, address and email address Owner Sales and Marketing Manager Privacy notice Privacy Notice 1 Consent required? No Obtained from data subject Yes Special category No Description Customer contact details Customer telephone number Owner Sales and Marketing Manager Privacy notice Privacy Notice 1 Consent required? No Obtained from data subject Yes Special category No Description Telelphone number of the customer Credit card details Owner Sales and Marketing Manager Privacy notice Privacy Notice 1 Consent required? No Obtained from data subject Yes Special category No Description Number, expiry and CVC of customer's credit card Customer IP address Owner Sales and Marketing Manager Privacy notice Privacy Notice 1 Consent required? No Obtained from data subject Yes Special category No Description The IP address of the customer at the time of purchase Sale via website Controls applied SSL/TLS encryption Internal or external External Frequency Adhoc Volume About 50 a day Transfer method Electronic via Internet Website sale processing Process owner Sales and Marketing Manager Automated decisionmaking? No Method of consent Consent not required Lawful basis Contractual Purpose of processing Website sale; receive funds in exchange for product Storage on web server Controls applied Internal or external Internal Frequency Adhoc Volume About 50 a day Transfer method Storage in database Payment processor Access controls Two factor authentication for admin accounts Retention period 7 years Level of data subject access None Encryption level Encryption at rest Country stored in Germany Location type Electronic Credit card details Controls applied SSL/TLS encryption Internal or external External Frequency Adhoc Volume About 50 a day Transfer method Electronic via Internet
Review Website Access controls User account and password Retention period 7 years Level of data subject access None Encryption level None Country stored in Germany Location type Electronic Copy of sale confirmation email Controls applied None Internal or external External Frequency Adhoc Volume About 50 a day Transfer method Email via Internet Mailing Website Access controls Two factor for admin access Retention period 7 years Level of data subject access None Encryption level None Country stored in France Location type Electronic API –Name and email address Controls applied None Internal or external External Frequency Adhoc Volume About 50 a day Transfer method API via Internet
Personal Data Analysis Diagram
Project or Business Process: Version: Dated: Author:
Post-sale review request Version 1
[dd/mm/yyyy]
A.N. Other
Process Narrative: Customer name and email address are stored on the Review Website and used to send an automated request to the customer to submit a review of the product they have purchased. If submitted, the review is stored on the Review Website and will be accessible publicly.
Customer name and email address Owner Sales and Marketing Manager Privacy notice Privacy Notice 1 Consent required? Yes Obtained from data subject Yes Special category No Description Customer contact details Post-sale review request Process owner Sales and Marketing Manager Automated decisionmaking? No Method of consent Tickbox at checkout Lawful basis Consent Purpose of processing Email the customer to ask them to submit a review of the product
Review Website Access controls User account and password Retention period 7 years Level of data subject access None Encryption level None Country stored in UK Location type Electronic Information retrieval Controls applied Not known Internal or external External Frequency Daily Volume 200 a week Transfer method Extract from database
Personal Data Analysis Templates
Instructions:
Copy and paste the appropriate objects on this page onto a new tab (one per business process) in order to create representations of the flow of personal data.
To enter shape data, first ensure that the Shape Data task pane is shown by visiting the View ribbon, clicking on Task Panes and selecting Shape Data. Data can be entered by clicking on the shape and typing data directly into the Shape Data box that will be displayed.
[Transfer name] Frequency 0 Controls applied 0 Internal or external 0 Volume 0 Transfer method 0 [Storage location] Access controls 0 Encryption level 0 Retention period 0 Country stored in 0 Level of data subject access 0 Location type 0 [Transfer name] Frequency 0 Controls applied 0 Internal or external 0 Volume 0 Transfer method 0 [Personal data item name(s)] Consent required? 0 Obtained from data subject? 0 Special category? Privacy notice 0 Owner 0 Description 0
[Processing] Method of consent 0 Process owner 0 Automated decisionmaking? 0 Lawful basis Purpose of processing 0