[Note: to choose a different table layout, click in the table, select the Design menu ribbon and choose a table style]
Personal Data Capture Form
Security Classification: Internal Use Only Date completed:
dd/mm/yyyy
Project or business ...
Credit card details
Provision of product upd...
Customer address
Website sale
Customer email address
(blank)
Customer IP address
Completed by: A.N. Other
Special category of personal data?
Obtained from data subject?
The name of the customer; sometimes different to the name of the person receiving support Email address of the customer; usually a business email but often a gmail or hotmail account Phone number, usually business but could be personal
No
Credit card details
Website sale
Customer address
6
Website sale
Customer IP address
7
Post-sale review requests
Customer name and email address
8
Newsletter
Customer name and email address
9
Provision of product updates Feedback survey requests
Customer name and email address Customer name and email address
11
Post-sales support
12
Product sample downloads
13
LinkedIn Connections
14
Pre-Sales Enquiries Customer name, company, email address and telephone number
15
Human Resources
Project or business process
Personal data item
Description
1
Website sale
Customer name
2
Website sale
Customer email address
3
Website sale
Customer telephone number
4
Website sale
5
Ref
10
Personal data item
Product sample downlo...
Customer name
Automated decisionmaking?
Lawful basis of processing
If consent-based, how is consent obtained?
Sales records and ongoing support
Contractual
Not applicable
No
Sales and Marketing Manager
Sales records and ongoing support
Contractual
Not applicable
No
Sales and Marketing Manager Sales and Marketing Manager Sales and Marketing Manager Sales and Marketing Manager Sales and Marketing Manager
Backup contact if email doesn't work - do we need this? Sale - details are not kept by us.
Contractual
Not applicable
No
Contractual
Not applicable
No
Sales approval via credit card; Contractual tax records; VAT charging
Not applicable
No
Evidence of location for tax purposes
UK law
Not applicable
No
Post-sales marketing of additional products
Consent
Not obtained
No
Yes
Sales and Marketing Manager
Post-sales marketing of additional products
Consent
Customer explictly signs up for the newsletter
No
No
Yes
Not applicable
No
Yes
Consent
Not obtained
No
Customer name and email address Customer name and email address
No
Yes
Contractual
Not applicable
No
No
Yes
Contractual
Not applicable
No
Customer name, company and location
No
Yes
Product Manager Communication that an update is available Product Manager Post-sale and annual feedback survey - issues and improvements Product Manager Product support and questions Sales and Provide samples of products Marketing on request by customer Manager Sales and Send connection request in Marketing LinkedIn Manager
Contractual
No
Consent
Customer explicitly accepts connection request
No
No
Yes
Sales and Marketing Manager
Respond to customer enquiries
Contractual
Not applicable
No
No
Yes
Managing Director
Payroll, tax and employment records
Contractual
Not applicable
No
Employee name, address, NI number, salary and bank account details
(a further 8 columns are not shown)
Owner
Processing purpose
Yes
Sales and Marketing Manager
No
Yes
No
Yes
Number, expiry and CVC of customer's credit card
No
Yes
Physical address including street, city, county, zip and country IP address of the purchaser at the time of purchase
No
Yes
No
Yes
Name and email address of the customer; usually a business email but often a gmail or hotmail account Name and email address of the customer; usually a business email but often a gmail or hotmail account May be different to the purchaser
No
Yes
No
Basic information required for employment
Actions The following actions have been identified from the Personal Data Capture Form: Ref. 1 2 3
Date Raised dd/mm/yyyy dd/mm/yyyy dd/mm/yyyy
Assessment Ref. 3 4 7,10
4
dd/mm/yyyy
7
5
dd/mm/yyyy
10
6 7
dd/mm/yyyy dd/mm/yyyy
11 15
Action Decide if telephone number is required to be captured Find out where Payment Processor stores its data Obtain consent for post-sale review requests and feedback survey requests Find out where Reviews Website stores its data and whether its encrypted Find out where Mailing Website stores its data and whether its encrypted Find out where File Sharing Website stores its data Ask Payroll Bureau about the controls they have in place, including any certifications
Who ANO ANO ANO
By When Narrative dd/mm/yyyy dd/mm/yyyy dd/mm/yyyy
Status Open Open Open
ANO
dd/mm/yyyy
Open
ANO
dd/mm/yyyy
Open
ANO ANO
dd/mm/yyyy dd/mm/yyyy
Open Open
Personal Data Capture Form - Completion Instructions The intention of this spreadsheet is to map out the capture and use of personal data for one or more business processes or projects. The intended meanings of the listed columns are as follows. Column Ref Project or business process Personal data item Description Special category of personal data?
Obtained from data subject? Owner Processing purpose Lawful basis of processing If consent-based, how is consent obtained? Automated decision-making? Level of data subject access Location stored Country stored in Retention period Encryption level Access controls Third parties shared with
Comments
Meaning A sequential reference number starting with 1 This could be the name of a new project or the name of an existing business process that processes personal data The actual data involved; this may be a single item or a logical group of data e.g. "customer name" or "customer name and address" More information about the data item(s), if required Does the personal data fall into one or more of the special categories defined by the GDPR, namely racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation Was the data obtained from the data subject directly or was it obtained from another source, such as a supplied database The role that is responsible for the personal data The use that the personal data is put to e.g. "fulfilling a sale" or "sending marketing information" The rationale for why the processing is lawful under Article 6 of the GDPR. Options include consent, contractual and legal. If the lawful basis of the processing is consent, how does the data subject signify consent and how would this be evidenced? Does the business process involve a decision based solely on automated processing which may significantly affect the data subject What access does the data subject have to their personal data to exercise their rights e.g review it for accuracy and change it The physical place the data reside in e.g. a server or a filing cabinet The country the data are stored in i.e. the physical location of the servers that hold the data How long is the data kept for before being deleted or amended so that it no longer represents personal data Is appropriate encryption applied to the data Are appropriate access controls applied to the data Names of third parties with whom the data are shared i.e. those that will also hold and process the data on their own account (not simply hosting a storage location that you control) Any other relevant information