(EN) DataMapper - Updating your data policies (template)
How does using DataMapper affect my data policies?
Using DataMapper should be part of a complete data management strategy. To make sure your policies reflect that accurately, we’ve put together a short checklist of a few things we recommend you update now that you’re using DataMapper. The list is not exhaustive, as the needs of companies and the types of personal data they store will vary. Please review your own procedures and policies to be on the safe side.
DataMapper processes personal data
Let’s start with the relationship between you, the personal data you store, and DataMapper. DataMapper finds and organizes personal data in your systems. Thus, it becomes a data processor, while you are still the data controller. (Learn more about the difference between data controllers and data processors under point 5.)
That’s why we need to have a data processor agreement in place, and that agreement is already part of our standard terms that you accept when you download DataMapper. If you’d like to review that agreement, you can find it at DataMapper terms of use
Your procedures and policies
DataMapper will make it much easier for you to properly track and manage the personal data you store. But any new tool or change in your data processes will trigger a need to update your policies.
After downloading DataMapper, just make a few simple changes to include it in your policies, specifying the purposes and activities for which it processes personal data. Don’t worry, we’ll walk you through it.
Here are some of the documents companies that process personal data must have in place. While the policies needed will vary from company to company, we tried to cover the most common and important ones. We’ve provided some suggested wordings, and you can use as written, or adapt them to match your company culture and the language of your documents, keeping everything cohesive and consistent.
1. Data Protection Policy
This is a policy that describes what you do to protect personal data. Since DataMapper is a key part of your data protection and privacy strategy, you should include it under a relevant section.
We suggest you insert the following text.
“To further increase security and strengthen our commitment to handling personal data in a safe and structured manner, we use DataMapper to track and organize documents that contain personal data across our drives, cloud storage and emails.”
2. Internal Processing Procedures
This is a list of the activities that involve the internal processing of personal data at your company. It is what the Danish Data Protection Agency refers to as the "inventory requirement". An example of an activity that requires the processing of personal data internally is the management of job applications and CVs.
What do you do with a job application that comes in an email? Who has access to it? When will it be deleted? Do you have an HR system to handle this information? List all of your activities, then describe how personal data is handled in each case.
Naturally, DataMapper must be included here, since you use the program to find, track, structure and delete personal data. In our template, you will find a model of how DataMapper should be listed.
The following is an example of information that should be included with each activity in a list of internal processing procedures. When listing “managing of CVs and job applications”, it might look like this:
Service | Short description | How do you receive and use personal data |
Managing job applications and CV’s | Our HR department manages job applications, including CVs, as part of recruitment. | Job applications, including CVs, include personal data about job applicants and are received by HR either via recruitment systems or via e-mails sent by applicants directly to HR. The job applications, including CVs, are shared within the company for the purpose of finding the right candidates for vacant positions. |
[Enter the purpose (s) for which you want to use personal data] | ||
[Insert to whom you can share personal data in the organization] | ||
[Insert how you share the personal data] | ||
[Insert which third parties (eg suppliers) you can share personal data with, if applicable] | ||
[Insert other precautions to be taken] | ||
[Insert how to delete personal data] - Example: “We use DataMapper GDPR to ensure the legal deletion of personal sensitive documents. DataMapper scans our documents and tells us exactly where a given document is located and if there are copies of it. In this way, we ensure that all relevant data is properly deleted.” |
3. Privacy Policy
Now, let’s move on to your external policy. This policy describes activities that involve processing personal data about others, for example, your customers. It is also where you determine on what legal basis you carry out these activities. This policy is usually available on a company's website, although this is not a requirement. The only requirement is that your privacy policy is made available to the people whose personal data you process.
Examples of a company’s activities that involve the processing of external users’ or customers’ personal data could be sending newsletters or the creation of user profiles on your website.
Our privacy policy template includes a box like the one you see below. You should fill it in with information about each service you perform, what data you need to process to do so, and on what legal basis the data is processed.
These details should be included for all of your services and activities, so make sure you include a description of how you use DataMapper. Since DataMapper is a tool you use to help keep track of the personal data you store and comply with the personal data regulations, it should be listed as a service.
For example, if a customer requests information (request for insight) about the personal data you have stored about him/her, DataMapper makes it easy for you to sort through your systems, collect and deliver the data.
The description of DataMapper as a service in your privacy policy could look like this:
Service | Type of data | Legal basis for processing |
We use DataMapper from Safe Online Aps, to ensure GDPR-compliance | (Name, surname, job title, number of employees, e-mail, phone number, personal work areas, company information including country of operation, origin and industries.) | (Legitimate interest (GDPR art. 6 (1), (f)). |
Category | Type of data | Sub-processors |
(We use DataMapper GDPR - Software to help us ensure GDPR-compliance.) | (Name, surname, job title, number of employees, e-mail, phone number, personal work areas, company information including country of operation- and origin and industries.) | Safe Online ApS,Købmagergade 22, 2, 1055 København K, Denmark |
4. Access Request Procedure
In this policy, you describe how you handle data insight requests from customers, employees, or other people.
Who is responsible for responding before the deadline (30 days)? In what form must a request be received and what requirements do you make for requests to be verified/approved?
DataMapper can be used to find data about a specific person quickly, making it easy to respond to data insight requests. Make sure you mention that you use it as a tool for that purpose. You could say something like:
“We use the software program DataMapper to help us find and identify documents that contain personally sensitive information. DataMapper scans our documents and tells us exactly where sensitive documents are located and if there are copies of them. This ensures that, when requested, we can give data subjects a complete overview of all data we have about them, who has access to it and where it is located.”
5. Data Processing Agreements
The main difference between a data controller and a data processor is the instruction element. A data processor will always act on the instructions of the data controller. See an example from the Danish Data Protection Agency here:
Example: “Fitness A” uses a system owned and operated by “Web B”
A fitness chain (Fitness A) needs to process personal information, including names, social security numbers, email addresses and account information about its members. The purpose of processing this personal information, among other things, is to charge for membership.
Fitness A wants to use an electronic system in which the necessary information can be quickly registered, stored and updated, etc. Fitness A therefore enters into an agreement with the IT company Web B, which has developed a system "FitnessCare" that can do what Fitness A wants. The information that Fitness A enters into the system is stored on servers at Web B.
The agreement between Fitness A and Web B clearly states that Web B may only process information about Fitness A's members in the manner agreed with and approved by Fitness A.
Fitness A thus decides for what purposes personal data is to be processed (e.g., so that Fitness A can charge payment from their members, etc.) and how the information is to be processed. Fitness A is therefore the data controller.
The agreement between Web B and Fitness A requires Web B to provide a service: processing (and perhaps storing, etc.) personal data. When this data processing is done solely on behalf of Fitness A, Web B is the data processor.
The fact that Web B is the data processor means that Web B may not use the information about Fitness A's members for its own purposes or for any purposes other than those agreed with Fitness A.
Web B is also not allowed to carry out significant processing activities without specific or general approvals from Fitness A, including, for example, using sub-data processors. If a general approval has been given to use sub-data processors, Web B will have to notify Fitness A in advance before entering into agreements with sub-data processors.
If your company acts as a data processor (as in the example above), DataMapper should be listed in your data processor agreement as an approved sub-data processor, since you will use DataMapper to keep track of data you have been instructed to process for the data controller. It can be listed as follows:
Approved sub-processors
Safe Online ApS
Nørrebrogade 47, 1
2200, Copenhagen N, Denmark
Description: Software we use to find and structure documents that contain personal data.
Data location
Amsterdam, Netherlands (Azure server)
Data subjects:
Persons found in exchanged documentation received from the customer, contracts, other material and information that is shared in connection with the conclusion of the agreement and the cooperation in general.
Type of data
The data content may be, but is not limited to; Name, surname, job title, number of employees, e-mail, telephone number, personal work areas, company information including country of operation, origin and branches. (list is not exhaustive)