Organisations have one or more sites with responsible employees. Personal data is exchanged between the sites within and outside the EU. These data flows must be recorded and legally secured.
Background
Larger organisations such as groups of companies, corporations, municipal administrations or social welfare organisations often consist of several locations between which personal data is transferred.
From a data protection perspective, it is important to ensure that the transfer between these locations is legally permissible. Data traffic is always legally permissible of personal data:
- are transferred within the European Union,
- transferred outside the European Union to third countries with an adequate level of protection
Data traffic is always legally impermissible if personal data:
- are transferred outside the European Union to third countries without an adequate level of data protection.
In addition to the above criteria, there must also be a legal basis for the data processing. This can be recorded in the record of processing activities for each processing activity.
The European Commission decides which third countries meet adequate data protection requirements.
The organisation's locations are subject to different data protection-related restrictions, depending on their characteristics. The following issues play an important role in data protection for sites:
- Is a site located within the European Union?
- Is a site located in a third country with an adequate level of data protection?
- Is a site located in an unsecure third country and there are agreements in place there, such as the Standard Contractual Clauses, which nevertheless permit data transfer?
How to proceed if a site is located in a third country is described in this Wiki article. How to transfer data to the USA in a legally compliant manner can be found in this Wiki article.
Manage locations
- In the main menu click on Organisational data: A dropdown menu opens.
- In the dropdown menu click on Organisation: Another dropdown menu opens.
- In the second dropdown menu click on Locations: The table view will open.
The general functionality of the table view is described in the article Using the table view.
Click to enlarge image
In the table view you can see the overview of the already created locations.
Create locations
- In the main menu click on Organisational data: A dropdown menu opens.
- In the dropdown menu click on Organisation: Another dropdown menu opens.
- In the second dropdown menu click on Locations: The table view opens.
- Click on the button +Location: A quick start input mask opens in which the title and city can be recorded.
- Fill out the fields of the quick start input mask.
- Click on Edit: An empty input mask opens.
- Fill out the input mask.
- Click on Save: The location has been created and will appear in the table view.
Note
If you select Without edit in the quick start window, the location will be saved in the table view without any further details, and can be edited at a later time.
Data areas of the input mask
Click to enlarge image
The left panel has the following data areas:
- Specification: Data protection relevant information about the location
- Address: Address of the location
- Contact information: General contact information about the location
Data area: Specification
This data area has the following form fields:
- Title (mandatory field): Enter the title of the location. The title will be displayed in other form fields if you need to assign records to locations. This is the case, for example, when creating the list of processing activities.
- Legal form: Enter the legal form of the site. If sites are part of a larger organisation, e.g., a corporate group, they are often separate companies organised as a separate legal form, such as that of a GmbH or AG. At this point you can select the respective legal form.
- Headquarters (mandatory field): Indicate whether the registered location is the company's headquarters. It is relevant under data protection law whether the main location is located within the EU. If this is not the case, according to Article 27 GDPR, a controller for this location with headquarters within the EU must be named. Ideally, this is also reported to the competent supervisory authorities and at least named in the privacy policy on the company's website. Within Robin Data, the controller is to be created as a person.
- Country (mandatory field): Specify in which country the site is located. For data protection reasons, it is important to know to which countries personal data is transferred. If personal data is transferred outside the EU, this transfer may need to be secured by special contracts.
- Responsible persons: Select a person who is the responsible person for this site. For example, this can be an executive director, office manager, plant manager, or facility manager. To select a person from the list, you must first create the person.
- Representative within the EU: If the main site is located outside the European Union, a responsible person for this site with headquarters within the EU must be named in accordance with Article 27 GDPR (see also "Main site"). This can in principle be any person in your organisation, but is ideally a person with a management function. To be able to select a person from the list, you must first create this person.
- Type (mandatory field): From a data protection perspective, it is important to specify for each location whether it is a so-called public body or non-public body. Public bodies, at least in Germany, are subject not only to the general data protection regulations (GDPR, BDSG) but also to the data protection regulations of the individual federal states (state data protection law).
- Supervisory authority: Select the responsible supervisory authority.
Data area: Address
This data area has the following form fields:
- Street, house number: Enter the street and house number of the location.
- Postcode: Enter the postal code of the location.
- City (mandatory field): Enter the city of the location.
Data area: Contact information
This data area has the following form fields:
- Phone: Enter the general phone number of the location (e.g. the receptionist)
- Fax: Enter the general fax number of the location (e.g. the mailroom)
- Email: Enter the location's general email address (eg. info@examplelocation.com)
- Website: Enter the location's or the overall organisation's website
The right panel has the following data areas:
- Matcher Tab: You can use the matcher to link documents (such as activities or technical and organisational measures) and view linked documents. The matcher can be used to create additional documents that can be linked to the open document. For a more detailed explanation, see the article Use the matcher.
- Status Tab: In this tab it is possible to manage the status of a document and to add notes about the location.
- Attachments tab: In this tab you can add related documents by clicking the Select File button.
- External Links Tab: In this tab you can link related information using the Add external link button.
Note
The functions of the former activities tab have been integrated into the matcher tab. The matcher can be used to create activities and link them to records.
Data area: Status
This data area has the following form fields.
- Notes: Your notes about this location.
- Color coding of the document: Select color coding of the document. This is also displayed in the table. You can define color labels in Organisational data > Management-System > Content groups
The general use of the input masks with forms is explained in the article Input masks with forms.
Related links
- Wiki article: Data transmission to third countries
- Wiki article: EU Standard Contractual Clauses
Further questions? - We are here for you.
If you have any questions about the software, please contact our support team. You can reach us at support@robin-data.io.