https://edpb.europa.eu/system/files/2022-02/edpb_letter_ai_liability_out2022-0009_1.pdf
Article in German on ROPA/Privacy Registry/VVT
https://www.dr-datenschutz.de/verzeichnis-von-verarbeitungstaetigkeiten-tipps-zur-umsetzung/
includes links to
- GDD-Praxishilfe DS-GVO Va – Verzeichnis von Verarbeitungstätigkeiten – Verantwortlicher https://www.gdd.de/downloads/praxishilfen/GDD-Praxishilfe_DS-GVO_5_a_V2.pdf
- Bitkom – Das Verarbeitungsverzeichnis https://www.bitkom.org/sites/default/files/file/import/180529-LF-Verarbeitungsverzeichnis-online.pdf
- Muster – e.g. Arztpraxis https://www.lda.bayern.de/media/muster_5_arztpraxis_verzeichnis.pdf or (large template) https://www.lda.bayern.de/media/dsk_muster_vov_verantwortlicher.pdf
Netherlands: DPIA on Microsoft Teams OneDrive SharePoint and Azure AD
Interesting structure:
Contents
Summary………………………………………………………………………………………….4
Introduction ……………………………………………………………………………………. 11
Part A. Description of the data processing……………………………………………….. 19
1. The processing of Diagnostic Data…………………………………………….. 19
1.1 About Teams, OneDrive, SharePoint Online and the Azure AD………… 19
1.2 Difference between Content, Functional and Diagnostic Data …………. 21
1.3 Different types of Diagnostic Data ………………………………………….. 23
2. Personal data and data subjects ………………………………………………. 24
2.1 Definitions of different types of personal data ……………………………. 24
2.2 Telemetry data mobile Teams, OneDrive and SharePoint apps ……….. 25
2.3 Outgoing traffic to third parties……………………………………………… 30
2.4 Diagnostic data from audits logs and admin consoles in Teams,
OneDrive and Sharepoint…………………………………………………………….. 33
2.5 Results access requests ………………………………………………………. 35
2.6 Analytical services based on the system-generated log files…………… 38
2.7 Types of personal data and data subjects…………………………………. 43
3. Privacy controls …………………………………………………………………… 47
3.1 Privacy controls system administrators ……………………………………. 47
3.2 Privacy controls end users……………………………………………………. 54
4. Purposes of the processing……………………………………………………… 56
4.1 Purposes Diagnostic Data generated on cloud servers………………….. 56
4.2 Purposes Telemetry Data generated on user devices and browser …… 57
4.3 Purposes Microsoft and third parties as data controllers ……………….. 58
5. (Joint) controller or processor………………………………………………….. 58
5.1 Definitions……………………………………………………………………….. 58
5.2 Contractual arrangements between SLM Rijk, SURF and Microsoft…… 59
5.3 Data processor …………………………………………………………………. 60
5.4 Data controller………………………………………………………………….. 60
5.5 Joint controllers ………………………………………………………………… 67
6. Interests in the data processing……………………………………………….. 68
6.1 Interests of the government organisations and universities …………… 68
6.2 Interests of Microsoft………………………………………………………….. 69
6.3 Joint interests…………………………………………………………………… 71
7. Transfer of personal data outside of the EU …………………………………. 72
7.1 Microsoft’s factual transfers of personal data to the USA ………………. 72
7.2 GDPR rules for transfers of personal data…………………………………. 73
7.3 Data Transfer Impact Assessment (DTIA)…………………………………. 75
8. Techniques and methods of the data processing …………………………… 87
8.1 Encryption……………………………………………………………………….. 87
8.2 Big Data Processing……………………………………………………………. 88
9. Additional legal obligations: e-Privacy Directive……………………………..89
10. Retention periods ………………………………………………………………….91
Part B. Lawfulness of the data processing…………………………………………………94
11. Legal Grounds………………………………………………………………………94
11.1 Diagnostic data Teams, OneDrive, Sharepoint Online and the Azure AD 94
11.2 Telemetry data Office for the Web and Required Service Data ………96
11.3 Controller Connected Experiences …………………………………………96
11.4 Analytics & reports in Teams and Viva Advanced Insights ……………96
12. Special categories of data………………………………………………………..97
13. Purpose limitation………………………………………………………………….97
14. Necessity and proportionality ……………………………………………………98
14.1 The principle of proportionality …………………………………………….98
14.2 Assessment of the proportionality …………………………………………98
14.3 Assessment of the subsidiarity……………………………………………101
15. Data Subject Rights ……………………………………………………………..102
Part C. Discussion and Assessment of the Risks ……………………………………….104
16. Risks………………………………………………………………………………..104
16.1 Identification of Risks ………………………………………………………104
16.2 Assessment of Risks………………………………………………………..105
16.3 Summary of risks……………………………………………………………109
Part D. Description of risk mitigating measures ………………………………………..111
17. Risk mitigating measures ………………………………………………………111
17.1 Measures against the one high and six low risks ……………………..111
Conclusions ……………………………………………………………………………………116
APPENDIX 1……………………………………………………………………………………117
Paper: Data Protection Impact Assessments in Practice
Data Protection Impact Assessments in Practice
Experiences from Case Studies
Michael Friedewald, Ina Schiering, Nicholas Martin, Dara Hallinan
https://link.springer.com/chapter/10.1007/978-3-030-95484-0_25
CH: D. Rosenthal: DSAT – Datenschutz Self-Assessment Tool
Google Playstore Privacy Policy related links
GooglePlay Developer Policy Center
https://play.google.com/about/developer-content-policy/
- Privacy, Deception and Device Abuse
https://support.google.com/googleplay/android-developer/topic/9877467 - Provide information for Google Play’s Data safety section
https://support.google.com/googleplay/android-developer/answer/10787469?hl=en#zippy=%2Cdata-types%2Cdata-collection%2Cdata-sharing
CH privatim: paper on cloud-specific risks and controls (in German)
Überarbeitetes privatim-Merkblatt «Cloud-spezifische Risiken und Massnahmen»
https://www.privatim.ch/de/uberarbeitetes-privatim-merkblatt-cloud-spezifische-risiken-und-massnahmen-2/
CNIL on Google Analytics (Feb 2022)
largely follows DSB Austria
also in English:
https://www.cnil.fr/en/use-google-analytics-and-data-transfers-united-states-cnil-orders-website-manageroperator-comply#
The actual decision:
https://www.cnil.fr/sites/default/files/atoms/files/med_google_analytics_anonymisee.pdf
BSI Grundschutzkompendium 2022
Germany: DPA ULD: Cookie/tracking standard template to site owners on typical website problems
Hinweisschreiben des ULD zu typischen Problemen bei Websites
at “Datenschutz-Guru”:
https://www.datenschutz-guru.de/hinweisschreiben-des-uld-zu-typischen-problemen-bei-websites/