Template: Data Flow Mapping for Compliance Contract Library B
Purpose
- Provide a standardized record of processing and data flow mapping for all activities related to “Contract Library B,” aligned to GDPR Article 30 (ROPA), GDPR Articles 5, 6, 9, 28, 32, 35, and CPRA (CCPA as amended) requirements including sale/share assessment, sensitive personal information handling, retention, and data subject rights.
- Enable DPIA/TRA screening, cross-border transfer compliance, and processor oversight.
Instructions
- Complete one entry per distinct data flow (source → processing → storage → disclosure/transfer) associated with Contract Library B (e.g., ingestion of contracts, metadata extraction, analytics, search, sharing with vendors).
- Use controlled vocabularies where indicated; attach supporting artifacts (DPA, SCCs, TIAs, retention policy, security controls) where relevant.
- Maintain versioning and approval history.
Section 1: Record Metadata
- Flow ID:
- Flow Name:
- Version / Date:
- Owner (Role/Name):
- Business Unit:
- Product/Service Context:
- Linked Contract(s) (IDs, title, counterparty):
- Related Processing Agreement(s) (DPA, SCC/IDTA, BCR ref):
- Status (planned, live, retired):
Section 2: Purpose and Legal Basis
- Processing Purpose(s) (select/describe; e.g., contract lifecycle management, search/indexing, compliance reporting, analytics, eDiscovery, audit):
- Lawful Basis (GDPR Article 6) per purpose:
- Contract performance
- Legal obligation
- Legitimate interests (include LIA reference and summary)
- Consent (attach consent mechanism; scope; withdrawal method)
- Vital interests / Public task (if applicable)
- Special Categories Processing (GDPR Article 9): yes/no; category; exemption relied upon (explicit consent, employment/social protection law, legal claims, etc.)
- Automated Decision-Making/Profiling (GDPR Article 22): yes/no; description; safeguards.
Section 3: Data Subjects and Data Categories
- Data Subject Types:
- Employees
- Contractors
- Customers/clients
- Counterparties’ personnel
- Vendors/subprocessors
- Website/app users
- Children (note age and jurisdictional threshold: 13 US/16 EU default)
- Personal Data Categories (GDPR):
- Identifiers (name, email, phone)
- Government IDs (SSN, passport, driver’s license)
- Employment details (title, compensation)
- Contract content containing personal data
- Financial/payment data
- Location data
- Online identifiers (IP address, device ID)
- Communications (email content, call recordings)
- Biometric/genetic (for identification)
- Health data
- Inferences
- Sensitive Personal Information (CPRA):
- Precise geolocation
- Government IDs
- Financial account with credentials
- Racial/ethnic origin
- Religious/philosophical beliefs
- Union membership
- Genetic/biometric data
- Health data
- Sex life/sexual orientation
- Contents of mail/email/messages (not directed to business)
- Data Elements (list specific fields extracted/processed; link to data dictionary).
Section 4: Collection and Sources
- Collection Method(s) (upload, API, email ingestion, OCR, web form, SSO sync):
- Source Systems/Repositories:
- Collection Points (jurisdictions):
- Notice at Collection reference(s) (CCPA/CPRA; link to notice; version/date):
- Consent/Opt-in mechanism (if applicable):
- GPC (Global Privacy Control) and Do Not Sell/Share signal handling (yes/no; method).
Section 5: Processing Activities and Systems
- Processing Steps (sequence; e.g., ingest → normalize → index → classify → analyze → report):
- Systems/Applications (names; owner; environment: prod/dev/test):
- Data Storage Locations (logical and physical; cloud region):
- Data Formats (text, PDF, metadata, embeddings):
- Data Flow Diagram reference (link or file ID):
- Frequency and Volume (batch/real-time; records/day; peak throughput).
Section 6: Disclosures, Recipients, and Third Parties
- Internal Recipients (teams/roles; access controls):
- External Recipients:
- Service providers/contractors (list; role; services)
- Subprocessors (if processor role)
- Auditors/regulators (legal obligation)
- CCPA/CPRA Classification per recipient:
- Service provider/contractor (contract terms limit use; no sale/share)
- Third party (potential sale/share)
- Sale or Share Assessment (CPRA):
- Sale (valuable consideration): yes/no; rationale
- Share (cross-context behavioral advertising): yes/no; rationale
- Opt-out mechanism and preference enforcement (including GPC): method; tested date
- Contractual Controls:
- DPA status (executed date)
- CPRA-compliant terms (prohibitions on combining data, subcontractor flow-down, assistance with rights)
- SCC/IDTA module(s) used; annexes referencing Library B data
- Security addendum and audit rights
- International Transfers:
- Destination country(ies)
- Transfer Mechanism (Adequacy; SCC Module 2/3; IDTA; BCR)
- Transfer Impact Assessment reference and outcome
- Supplementary measures (encryption, split processing, access controls).
Section 7: Security Measures (GDPR Article 32; CPRA)
- Access Control (RBAC/ABAC; least privilege; admin segregation):
- Authentication (SSO, MFA):
- Encryption (in transit: TLS version; at rest: algorithm/key management):
- Data Minimization/Pseudonymization:
- Logging/Monitoring (security logs; DLP; anomaly detection):
- Vulnerability Management (patch cadence; code scanning):
- Backup/Restore (RPO/RTO; tested date):
- Secure Development (SDLC; privacy by design checkpoints):
- Vendor Security Assurance (SIG/CAIQ; audit report references):
- Breach Detection and Response (playbook link; 72-hour GDPR notification readiness; contractual notification SLAs).
Section 8: Retention and Deletion
- Retention Schedule (by data category/purpose; statutory references):
- Triggers (contract expiry, project end, legal hold release):
- Deletion Method (cryptographic erasure, secure wipe):
- Archival Controls (immutable storage; access restrictions):
- CPRA Retention Disclosure alignment (public notice consistency check):
- Backup Data Deletion/Rotation policy.
Section 9: Data Subject Rights and Requests
- Applicable Rights (GDPR: access, rectification, erasure, restriction, portability, objection; CPRA: access, deletion, correction, opt-out of sale/share, limit use of sensitive PI):
- Request Intake Channels (portal, email, phone):
- Identity Verification process:
- Fulfillment Workflow (systems queried; data mapping references):
- Timelines (GDPR 1 month; CPRA ~45 days; extension criteria):
- Exceptions (legal holds, trade secrets, security exemptions):
- Recordkeeping (logs; metrics).
Section 10: DPIA/TRA Screening and Risk
- DPIA Trigger Assessment (scale, sensitive data, vulnerable subjects, systematic monitoring, automated decisions, new tech):
- Risk Summary (confidentiality, integrity, availability, re-identification, transfer risk):
- Mitigations Implemented:
- Residual Risk Rating (low/medium/high) and approval:
- DPIA Reference (link; date; approver).
Section 11: Roles and Accountability
- Controller vs Processor Role (per flow; per jurisdiction):
- Joint Controller arrangements (if any; agreement reference):
- DPO/Privacy Lead (name/contact):
- Security Owner:
- Business Owner:
- Vendor Manager (if applicable).
Section 12: Compliance Checks
- GDPR Article 30 ROPA completeness (yes/no):
- Article 28 processor terms verified (yes/no):
- Article 5 principles alignment (purpose limitation, minimization, accuracy, storage limitation, integrity/confidentiality, accountability):
- CPRA Service Provider/Contractor term audit (yes/no; date):
- Notice and Consent alignment check (yes/no):
- Cross-border transfer compliance verified (yes/no; date):
- Training completed by users with access (yes/no; date):
- Testing of opt-out/limit SPI controls (yes/no; date).
Section 13: Approvals and Review
- Legal/Privacy Review (name/date):
- Security Review (name/date):
- Business Approval (name/date):
- Next Review Due (date):
- Change Log (summary of changes; version history).
Appendix A: Controlled Vocabularies (use in fields above)
- Lawful Basis: contract, legal obligation, legitimate interests, consent, vital interests, public task.
- CPRA Recipient Type: service provider, contractor, third party.
- CPRA Sale/Share Status: not sold/shared; sold; shared; unknown (investigation).
- Transfer Mechanism: adequacy, SCC Module 2, SCC Module 3, IDTA, BCR.
- Risk Rating: low, medium, high.
Notes for Contract Library B Context
- Explicitly identify whether contract documents themselves contain personal data of counterparties or employees; treat contract content as a data source and apply minimization (e.g., redact unnecessary personal fields).
- If using AI/NLP for contract analysis, document model inputs/outputs, training data sources, data isolation, and any vendor involvement. Confirm no use for cross-context behavioral advertising; assess for profiling risks.
- Ensure service provider/contractor agreements include CPRA-compliant restrictions: use only for specified business purposes, no sale/share, assistance with consumer requests, GPC honoring, subcontractor flow-down, and audit rights.
- Align retention with statutory requirements for contracts while segregating and separately applying shorter retention for extracted personal data where feasible.
Deliverable Format
- Recommended format: machine-readable (JSON or CSV) plus human-readable register (document). Maintain references to artifacts (DPA, SCCs, DPIA) and diagrams in a shared repository with access controls.
This template is suitable for building a comprehensive data flow register for “Contract Library B,” supporting regulatory record-keeping, risk assessment, and operational compliance.
