Content library
TISAX: Information security
9.3.1: Data processing activities management

How to fill the requirement

TISAX: Information security

9.3.1: Data processing activities management

Task name
Priority
Status
Theme
Policy
Other requirements
Documentation of personal data processing purposes for data stores
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
requirements

Task is fulfilling also these other security requirements

6. Lawfulness of processing
GDPR
18.1.4: Privacy and protection of personally identifiable information
ISO27 Full
30. Records of processing activities
GDPR
A.7.2.2: Identify lawful basis
ISO 27701
A.7.2.8: Records related to processing PII
ISO 27701
1. Task description

Processing of personal data is only lawful if one of the legal bases set out in the General Data Protection Regulation is met. The organization must be able to communicate the purpose of the processing and the legal basis to the data subject and, where appropriate, to the supervisory authority.

The documentation shall include at least:

  • the legal basis for the processing and the necessary additional information
  • the parties to whom the processing has been outsourced
  • related data sets
Records of processing activities -report publishing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
requirements

Task is fulfilling also these other security requirements

30. Records of processing activities
GDPR
A.7.2.8: Records related to processing PII
ISO 27701
TSU-01: Käsiteltävien henkilötietojen tunnistaminen
Julkri
TSU-21: Seloste käsittelytoimista
Julkri
61: Seloste käsittelytoiminnasta
Sec overview
1. Task description

Records of processing activities is a written description of the processing of personal data by the organization.

This report is mandatory if any of the following occurs:

  • the organization has more than 250 employees
  • the processing of personal data is not incidental
  • the processing of personal data is likely to pose a risk to the data subject's rights and freedoms
  • the personal data processed contain special categories of data or personal data relating to criminal convictions and offenses

Records must be kept up to date. They also serve as a first-level way of assessing the lawfulness of processing, so it must be provided to the supervisory authority on request.

In Cyberday, records of processing activities is an own report, which is automatically gathered from the data on documentation sections.

Documentation of data sets for data stores
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Management of data sets
requirements

Task is fulfilling also these other security requirements

T07: Tietojen luokittelu
Katakri
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
15 §: Tietoaineistojen turvallisuuden varmistaminen
TiHL
6. Lawfulness of processing
GDPR
5. Principles relating to processing of personal data
GDPR
1. Task description

The organization shall maintain a list of data sets contained in the data stores it manages.

The documentation shall include at least the following information:

  • Data systems and other means used to process the data sets
  • Key categories of data in the data set (and whether it contains personal data)
  • Data retention period (discussed in more detail in a separate task)
  • Information on archiving / disposal of data (discussed in more detail in a separate task)
Privacy notices -report publishing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
requirements

Task is fulfilling also these other security requirements

14. Information to be provided where personal data have not been obtained from the data subject
GDPR
12. Transparent information, communication and modalities for the exercise of the rights of the data subject
GDPR
13. Information to be provided where personal data are collected from the data subject
GDPR
18.1.4: Privacy and protection of personally identifiable information
ISO27 Full
A.12.1: Geographical location of PII
ISO 27018
1. Task description

With regard to the processing of personal data, the data subject must be provided with the information specified in the GDPR in a concise, comprehensible and easily accessible form. This is often done in the form of privacy statements, which are published, for example, on the organisation's website.

Where personal data have not been collected from the data subject himself, the descriptions shall state, in addition to the basic content:

  • where the data were obtained
  • which categories of personal data are covered
Data store listing and owner assignment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
requirements

Task is fulfilling also these other security requirements

5 §: Tiedonhallintamalli ja muutosvaikutuksen arviointi
TiHL
6. Lawfulness of processing
GDPR
5. Principles relating to processing of personal data
GDPR
8.1.1: Inventory of assets
ISO27 Full
6.7: Asiakas- ja potilastietojärjestelmät, niihin liitetyt tietojärjestelmät ja muut tietojärjestelmät
Self-monitoring
1. Task description

Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.

Data store documentation must include at least:

  • Connected responsibilities
  • Data processing purposes (covered in a separate task)
  • Data sets included in the data store (covered in a separate task)
  • Data disclosures (covered in a separate task)
  • When necessary, data stores connections to action processes
Ensuring the timeliness of privacy communication
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
requirements

Task is fulfilling also these other security requirements

12. Transparent information, communication and modalities for the exercise of the rights of the data subject
GDPR
18.2.2: Compliance with security policies and standards
ISO27 Full
18.1.4: Privacy and protection of personally identifiable information
ISO27 Full
A.7.3.2: Determining information for PII principals
ISO 27701
TSU-19.2: Rekisteröidyn oikeudet - Läpinäkyvä informointi
Julkri
1. Task description

The purposes of the processing of personal data will change as the business develops. Privacy communications should stay up-to-date and reflect the actual state of processing.

We regularly make sure that all processing purposes are mentioned in communications (e.g. privacy statements), that the processing is accurately described, and that communications are provided to data subjects within the required time limits.

No items found.