-
Notifications
You must be signed in to change notification settings - Fork 13
/
processing-activities-records-schema.json
473 lines (473 loc) · 25.1 KB
/
processing-activities-records-schema.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://www.circl.lu/gdpr-processing.schema",
"title": "Validator schema for GDPR records of processing activities",
"additionalProperties": true,
"type": "array",
"items": {
"title": "Processing activities",
"type": "object",
"properties": {
"id_old": {
"description": "Old reference of the processing activity. Can be deleted if not needed",
"type": "number"
},
"id": {
"description": "Unique reference of the processing activity.",
"type": "number"
},
"name": {
"description": "Name of the processing activity, not related to any GDPR article.",
"type": "string"
},
"purpose": {
"description": "The purpose of the processing. Ref GDPR Art. 30(1)(b)",
"type": "string",
"enum": [
"GDPR Recital 49 - ensuring network and information security",
"Research",
"Education, awareness and training",
"Advertising, marketing and public relations",
"Staff administration",
"Office management",
"Accounting and auditing"
]
},
"description": {
"description": "Description of the processing activity.",
"type": "object",
"properties": {
"type": {
"description": "Type of the processing activity.",
"type": "string",
"enum": [
"Incident Response",
"Proactive Activities",
"Other services",
"Organisational"
],
"required": true
},
"summary": {
"type": "string"
},
"tools": {
"description": "Supporting IT systems involved in the processing of personal data. It is specifically relevant to mention tools, which have their own database to keep track of the personal data. Not related to any GDPR article.",
"type": "array",
"items": {
"type": "string"
}
},
"RFC_2350_generic": {
"description": "Reference to the RFC 2350 (Expectations for Computer Security Incident Response).",
"type": "array",
"items": {
"type": "string",
"enum": [
"3.5.1.1. Incident Triage - Report assessment",
"3.5.1.1. Incident Triage - Verification",
"3.5.1.2. Incident Coordination - Information categorization",
"3.5.1.2. Incident Coordination - Coordination",
"3.5.1.3. Incident Resolution - Technical Assistance",
"3.5.1.3. Incident Resolution - Eradication",
"3.5.1.3. Incident Resolution - Recovery",
"3.5.2. Proactive Activities - Information provision",
"3.5.2. Proactive Activities - Security Tools",
"3.5.2. Proactive Activities - Education and training",
"3.5.2. Proactive Activities - Product evaluation",
"3.5.2. Proactive Activities - Site security auditing and consulting"
]
}
},
"RFC_2350_CIRCL": {
"description": "Reference to CIRCL implementation of RFC 2350 (https://www.circl.lu/mission/rfc2350).",
"type": "array",
"items": {
"type": "string",
"enum": [
"Incident triage - Investigating whether indeed an incident occurred.",
"Incident triage - Determining the extent of the incident.",
"Incident coordination",
"Incident coordination - Determining the initial cause of the incident",
"Incident coordination - Facilitating contact with other sites which may be involved.",
"Incident coordination - Facilitating contact with appropriate law enforcement officials, if necessary.",
"Incident coordination - Making reports to other CSIRTs",
"Incident coordination - Composing announcements to users, if applicable",
"Incident coordination - Ensuring adequate threat sharing information for proactive measures.",
"Incident resolution - Helping to remove the vulnerability",
"Incident resolution - Helping to secure the system from the effects of the incident",
"Incident resolution - Collecting evidence of the incident",
"Proactive services - Information services such as: list of security contacts, repository of security-related patches for various operating systems",
"Proactive services - Training and educational services",
"Proactive services - Development of security tools in the field of analysis, threat and information sharing, security assessments."
]
}
}
}
},
"legal_ground": {
"description": "Lawfulness/grounds for the processing activity. Reference GDPR Art. 6 & 5(a).",
"type": "object",
"properties": {
"lawfulness": {
"type": "string",
"enum": [
"data subject has given consent to the processing of his or her personal data",
"processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract",
"processing is necessary for the compliance with a legal obligation to which the controller is subject",
"processing is necessary in order to protect the vital interests of the data subject or of another natural person",
"processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller",
"processing is necessary for the purposes of the legitimate interests pursued by the controller of by a third party"
],
"required": true
},
"CIRCL_mandate_references": {
"description": "Reference to CIRCL mandate (https://www.circl.lu/assets/files/letter-circl-2015.pdf).",
"type": "array",
"items": {
"type": "string",
"enum": [
"acts as the economic and communes CERT",
"identifies synergies in the area of information capabilities",
"increase readiness and incident response capabilities",
"performs research at a global level",
"establishes EU wide and international collaboration",
"shares information about threats",
"implements an early warning sensor network and thus increase the attractiveness of Luxembourg as a trusted e-economy hub"
]
}
},
"NISD_references": {
"description": "Reference to related NISD requirements for CSIRTs.",
"type": "array",
"items": {
"type": "string",
"enum": [
"NISD Annex I (2)(a)(i) - Monitoring incidents at a national level",
"NISD Annex I (2)(a)(ii) - Providing early warning, alerts, announcements and dissemination of information to relevant stakeholders about risks and incidents",
"NISD Annex I (2)(a)(iii) - Responding to incidents",
"NISD Annex I (2)(a)(iv) - Providing dynamic risk and incident analysis and situational awareness",
"NISD Annex I (2)(a)(v) - Participating in the CSIRTs network",
"NISD Annex I (2)(b) - CSIRTs shall establish cooperation relationships with the private sector",
"NISD Annex I (2)(c) - To facilitate cooperation, CSIRTs shall promote the adoption and use of common or standardised practices for (i) incident and risk-handling procedures",
"NISD Annex I (2)(c) - To facilitate cooperation, CSIRTs shall promote the adoption and use of common or standardised practices for (ii) incident, risk and information classification schemes"
]
}
},
"others": {
"description": "Other reference or explanation of the lawfulness of this processing activity. No related to any GDPR article.",
"type": "array",
"items": {
"type": "string"
}
}
}
},
"data_subjects": {
"description": "Categories of the data subjects. Reference GDPR Art. 30 (1)(c).",
"type": "array",
"items": {
"type": "string"
}
},
"personal_data": {
"description": "Personal data processed. Reference GDPR Art. 30 (1)(c).",
"type": "object",
"properties": {
"source": {
"type": "array",
"items": {
"type": "string"
}
},
"data": {
"type": "array",
"items": {
"type": "object",
"properties": {
"description": {
"type": "string"
},
"category": {
"type": "string",
"enum": [
"Information extracted from computer and networking systems",
"Network information",
"Any, potentially including special categories of data",
"Personal details",
"Employment details"
]
},
"special_catgories": {
"description": "If special categories of data are involved, please specify the categories",
"type": "array",
"items": {
"type": "string",
"enum": [
"Racial or ethnic origin",
"Political opinions",
"Religious or other beliefs of a similar nature",
"Physical or mental health or condition",
"Sexual life",
"Offences (including alleged offences)",
"Criminal proceedings, outcomes and sentences",
"Biometric data",
"Genetic data",
"Any"
]
}
},
"required": [
"description"
]
}
}
}
}
},
"retention_period": {
"description": "Retention schedule/storage limitation. Reference GDPR Art. 30(1)(f) and Art. 5(e).",
"type": "string"
},
"controller": {
"description": "Controller of the processing activity.",
"type": "string"
},
"joint_controllers": {
"description": "Joint controller if applicable. Reference GDPR Art. 30 (1)(a).",
"type": "array",
"items": {
"type": "string"
}
},
"data_processor": {
"description": "Data processor if applicable.",
"type": "string"
},
"recipients": {
"description": "Categories of recipients. Reference GDPR Art. 30 (1)(d).",
"type": "array",
"items": {
"type": "string"
}
},
"international_transfer": {
"description": "Whether any personal data in this processing activity is transfer to a third country or an international organisation. Reference GDPR Art. 30(1)(e).",
"type": "object",
"properties": {
"transfer": {
"type": "boolean"
},
"entity_list": {
"description": "List of third countries/international organisations personal data are shared with. Reference GDPR Art. 30(1)(e).",
"type": "array",
"items": {
"type": "object",
"properties": {
"entities": {
"type": "array",
"items": {
"type": "string"
}
},
"basis": {
"type": "string",
"enum": [
"Adequacy decision (GDPR Art. 45)",
"Appropriate safeguards (GDPR Art. 46)",
"Transfer of data is required by a legal entity in a third country and is based on an international agreement in force between the requesting third country and the Union or a Member State (GDPR Art. 48)",
"Derogations for specific situations (GDPR Art. 49)",
"The transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data (GDPR Art. 49)"
]
},
"details": {
"description": "e.g. documentation of security measures and suitable safeguards in the scope of the transfer. Only mandatory in case of Art. 49(1), i.e. 'The transfer is not repetitive, concerns only a limited number [..]'",
"type": "string"
}
}
}
}
},
"required": [
"transfer"
]
},
"data_subject_rights": {
"type": "object",
"properties": {
"restrictions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"data_subjects": {
"type": "array",
"description": "On what type of data subject the restriction apply",
"items": {
"type": "string"
}
},
"rigths": {
"description": "The restriction can apply on the rights listed here",
"type": "array",
"items": {
"type": "string",
"enum": [
"transparency",
"right of access",
"right_of_rectification",
"right_of_erasure",
"right_of_restriction",
"right_to_data_portability",
"right_to_object",
"automated_individual_decision_making"
]
}
},
"justification": {
"description": "Reference to the GDPR article which allows the restriction",
"type": "object",
"properties": {
"articles": {
"type": "string",
"enum": [
"GDPR Art. 14(5)(b), Specific to Information to be provided to the data subject - Paragraphs 1 to 4 shall not apply where [..] the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards",
"GDPR Art. 14(5)(b), Specific to Information to be provided to the data subject - Paragraphs 1 to 4 shall not apply where [..] the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing",
"GDPR Art. 17(3)(d), Specific to Right to erasure - Paragraphs 1 and 2 shall not apply to the extent that processing is necessary [..] for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing",
"GDPR Recital 57 & Art. 11 - Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification",
"GDPR Recital 73 & Art. 23(1)(a)- national security - Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Article 12 to 22 and Article 34, as well as Article 5 [..]",
"GDPR Recital 73 & Art. 23(1)(b) - defence - Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Article 12 to 22 and Article 34, as well as Article 5 [..]",
"GDPR Recital 73 & Art. 23(1)(c) - public security - Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Article 12 to 22 and Article 34, as well as Article 5 [..]",
"GDPR Recital 73 & Art. 23(1)(d) - prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties - Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Article 12 to 22 and Article 34, as well as Article 5 [..]",
"GDPR Recital 73 & Art. 23(1)(e) - other important objectives of general public interest - Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Article 12 to 22 and Article 34, as well as Article 5 [..]",
"GDPR Recital 73 & Art. 23(1)(f) - the protection of judicial independence and judicial proceedings - Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Article 12 to 22 and Article 34, as well as Article 5 [..]",
"GDPR Recital 73 & Art. 23(1)(g) - the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions - Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Article 12 to 22 and Article 34, as well as Article 5 [..]",
"GDPR Recital 73 & Art. 23(1)(h) - a monitoring, inspection or regulatory function - Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Article 12 to 22 and Article 34, as well as Article 5 [..]",
"GDPR Recital 73 & Art. 23(1)(i) - the protection of the data subject or the rights and freedoms of others - Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Article 12 to 22 and Article 34, as well as Article 5 [..]",
"GDPR Recital 73 & Art. 23(1)(j) - the enforcement of civil law claims - Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Article 12 to 22 and Article 34, as well as Article 5 [..]",
"Other"
]
},
"details": {
"description": "Details on the justification for the restriction, such as demonstration the controller is not in a position to identify the data subject (GDPR Art. 11(2))",
"type": "string"
}
}
}
}
}
},
"transparency": {
"description": "Information and access to personal data. Reference GDPR Art. 12, 13, 14.",
"type": "object",
"properties": {
"required": {
"type": "boolean",
"description": "Whether the processing activity needs to have a privacy notice or equivalent towards the data subject"
},
"data_subjects": {
"type": "array",
"description": "On what type of data subject the transparency principle apply",
"items": {
"type": "string"
}
},
"source": {
"type": "string",
"description": "Whether personal data have been collected from the data subject",
"enum": [
"personal data are collected from the data subject",
"personal data have not been obtained from the data subject"
]
},
"details": {
"type": "string"
},
"references": {
"description": "Add the link or procedure to the privacy notice(s) or equivalent",
"type": "string"
}
}
},
"right_of_access": {
"description": "Right of access. Reference GDPR Art. 15.",
"type": "array",
"items": {
"type": "string"
}
},
"right_of_rectification": {
"description": "Right of rectification. Reference GDPR Art. 17.",
"type": "array",
"items": {
"type": "string"
}
},
"right_of_erasure": {
"description": "Right of erasure. Reference GDPR Art. 17.",
"type": "array",
"items": {
"type": "string"
}
},
"right_of_restriction": {
"description": "Right of restriction. Reference GDPR Art. 18.",
"type": "array",
"items": {
"type": "string"
}
},
"right_to_data_portability": {
"description": "Right to data portability. Reference GDPR Art. 20.",
"type": "array",
"items": {
"type": "string"
}
},
"right_to_object": {
"description": "Right to object. Reference GDPR Art. 21.",
"type": "array",
"items": {
"type": "string"
}
},
"automation_profiling": {
"description": "Whether the processing activity involves any automated decision-making or profiling.",
"type": "array",
"items": {
"type": "string"
}
}
}
},
"security_measures": {
"description": "Security measures & Integrity & Confidentiality. Security measures can be technical and/or organisational. Reference GDPR Art. 30(1)(e), 32(1) and Art. 5(f).",
"type": "object",
"properties": {
"pseudonymisation": {
"description": "Whether part or all of the dataset is pseudonymised. Not related to any GDPR article.",
"type": "string"
},
"others": {
"type": "array",
"items": {
"type": "string"
}
}
}
}
},
"required": [
"id",
"name",
"purpose",
"legal_ground",
"data_subjects",
"personal_data",
"recipients",
"international_transfer",
"retention_period",
"security_measures"
]
}
}