CR 1.2 Schema: Transborder Field Inputs
Transboarder Field Considerations
Field Name: | Guidance | Description | Data Types (define field format) | JSON | Required / Optional |
Third Party Role |
| Describes the role of the third party to whom data is disclosed for the specified purpose e.g. Processor or Partner | String | thirdPartyRole | Required |
International transfer | This field is used to indicate if personal data is transferred outside GDPR-applicable jurisdictions | The field indicates that the specific purpose involves transfer to a jurisdiction not under GDPR | Boolean | internationalTransfer | Required |
International transfer locations | This field is used to indicate the locations the personal data will be transferred to that are not under the jurisdiction of the GDPR | Must use a normative form for the location such as ISO country codes or taxonomies for unions and region abbreviations (e.g. EU, EEA). Required if international transfer field is true. | Array | internationalTransferLocations | Optional |
International transfer safeguards | If international transfer is yes – list in the array which safeguards are used. | Required if international transfer field is true. | Array | internationalTransferSafeguards | Optional |
Profiling | This field is used to indicate if the specified purpose involves profiling | In GDPR, ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; | Boolean | profiling | Required |
Automated decision making | This field is used to indicate if the specified purpose is solely based on automated measures that produce legal effects for the data subject | This is mentioned in GDPR as decision based solely on automated processing, including profiling, which produces legal effects for the data subjects or similarly significantly affects him or her. | Boolean | automatedDecisionMaking | Required |
Processing Categories | This field is used to list the processing categories associated with a purpose. | Describes the data processing actions/activities carried out over personal data for the specified purpose. E.g. collect, use, store, share. | Array | processing | Required |
Data Storage location | This field is used to specify the data storage duration or conditions associated with the purpose. | The data storage field can specify the date/time or duration, or a condition or event (e.g. as long as account is active) after which the data will be erased and will no longer be used for the specified purpose | String | dataStorage | Required |
Security considerations for TransBorder Processing
Field Name: | Guidance | Description | Data Types (define field format) | JSON | Required / Optional |
Providence of PII |
|
|
|
|
|
Source: accessed, controlled and processed at source ? (y/n) |
|
|
|
|
|
Sensiive or Special Cat of Data |
|
|
|
|
|
Benefitial Owner of PII |
|
|
|
|
|
Explicit Consent
Field Name | Guidance | Description | Data Types (define field format) | JSON | Required / Optional |
informed consent |
|
|
|
|
|
knowledgable consent |
|
|
|
|
|
meaningful consent |
|
|
|
|
|
processing interval and frequency |
|
|
|
|
|
Delegation
Field Name | Guidance | Description | Data Types (define field format) | JSON | Required / Optional |
Type of Delegation (Guardiaship) |
| o Delegation of monitoring and enforcement to a governance framework, Delegation of processing and sub-processing, |
|
|
|
Delegation of processing across boarders |
|
|
|
|
|
Data Subject is Child | This field is used to specify if the data subject is a child | The age for a child differs by jurisdiction. | Boolean | isChild | Required |
Given By Delegation | This field is used to specify if the consent was given by delegation | If data subject is a child, their consent may required to be given by their parent or guardian in certain cases | Boolean | delegation | Optional |
Delegate Representative | This field denotes the identity of the delegate in the delegation. | This is the identity (such as name, email) of delegate that provides consent on behalf of the data subject in the delegation. Required if consent given by delegation. | String | delegate | Optional |
Delegate Role | This field is used to specify the authority used to represent the party in the consent transaction | Role played by the delegate in the delegation. E.g. “parent of child”. Required if consent is given by delegation. | String | delegateRole | Optional |
Consent ID | This field is used to specify the internal consent ID used by the Controller to refer to consent | Controllers may wish to provide this for convenience in their communication with the data subject for referring to this specific consent. | String | consentID | Optional |
Validity | This field is used to specify the validity or duration of consent after which the consent can no longer be used as a legal basis. | The validity can be a specific date-time, or a duration (e.g. 6 months), or based on an event or condition (as long as account is valid) | String | validity | Required |
Applicable Rights | This field is used to specify how the data subject can exercise their rights under the GDPR | Rights include Right to Rectify, Right to Data Portability. The Right to Withdraw is specified in the “withdrawConsent” field. | Array | rights | Required |