CLIENT NAME:

GDPR - DOC2 CompanyName France This shape represents a table slicer. Table slicers are This shape represents a table slicer. Table slicers are This shape represents a table slicer. Table slicers are This shape represents a table slicer. Table slicers are
supported in Excel or later. supported in Excel or later. supported in Excel or later. supported in Excel or later.
Personal Data Analysis Form Security Classification: Confidential
If the shape was modified in an earlier version of Excel, or if If the shape was modified in an earlier version of Excel, or if If the shape was modified in an earlier version of Excel, or if If the shape was modified in an earlier version of Excel, or if
Date completed: 11-Dec-18 the workbook was saved in Excel 2007 or earlier, the slicer the workbook was saved in Excel 2007 or earlier, the slicer the workbook was saved in Excel 2007 or earlier, the slicer the workbook was saved in Excel 2007 or earlier, the slicer
can't be used. can't be used. can't be used. can't be used.
Completed by: Roland Costea
* CompanyName France is considered a processor in client contracts without actually processing anything. In exchange, they are processing personal
data of their clients employees (in sales relationships), acting as a controller (this is not specified in the contract) *CompanyName can be considered a joint controller

Special Automated
Obtained from data Lawful basis of Country Retention Encryption International transfer destination &
Ref Project or business process Personal data item Description category of Owner Processing purpose If consent-based, how is consent obtained? decision- Level of data subject access Location stored Access controls Third parties shared with
subject? processing stored in period level frequency
personal data? making?

Contractual for existing

clients. There is no cross border transfer of personal
Name,Email & Phone of the contact from an existing or
Legal for prospects : CRM database (extremely limited To be filled in Accessed based on user rights via CRM,file data and also no frequency we can discuss
Customer/Contractor/ prospecting customer - usually obtained by exchanging
Customer/Contractor/Partner Sales and Marketing Sales records,marketing, professional Processing is necessary Agreements and General terms and conditions MUST BE info), local file server, backup server by server, email server, mobile phone contacts area about. Data is shared with CompanyName HQ
1 Partner contact name, email business cards or people participating in local events where No Yes No No access provided to data subjects HQ, France None None
relationship Manager services and ongoing support […] in order to take steps updated with GDPR provisions. & user laptop, email server, phone CompanyNam (mobile phones are mostly personal and there is inside the company and due to technology
& phone they leave business cards, or sales people networks (incl.
at the request of the data contacts list e France no restriction or protection to customer data) reasons stored also on HQ premises where
Linkedin)
subject prior to entering physical servers reside.
into a contract

Bank (Societe Generale), Procedo,

Cushwake, URSSAF, CNAV, There is no cross border transfer of personal
CEO and Finance/Adminnistration manager
To be filled in Humanis Retraite, ACMS, Pole data and also no frequency we can discuss
Employment contract signed between Talentia HR Tool, File Server, have physical access to locked cabinets, Role
HR representative, Finance & Personal data processing clauses SHOULD BE included in by Emploi, SFR, Sodexo, Adexim, La about. Data is shared with CompanyName HQ
2 HR contracts (existing employees) Name Name of the employee as per document ID No Yes employee and CompanyName French labour law No No access provided to data subjects Backup server, Email server, HQ, France None based access control rights on file server (HR,
Administration Manager the employment contract signed by the employee CompanyNam Creation Imagee, Realiz Grafik, inside the company and due to technology
France as per France law physical cabinets, HR rep laptop CEO, Finance & Administration have access to
e France Temys, Caisse Primaire, Eunomie reasons stored also on HQ premises where
these information)
Avocats, Cetim, Cabinet M&B physical servers reside.
ASSOCIES, Univers Paie, F2A

There is no cross border transfer of personal

CEO and Finance/Adminnistration manager
To be filled in data and also no frequency we can discuss
Employment contract signed between Talentia HR Tool, File Server, have physical access to locked cabinets, Role
HR representative, Finance & Personal data processing clauses SHOULD BE included in by about. Data is shared with CompanyName HQ
3 HR contracts (existing employees) Salary Salary of the employee as per employment contract No No employee and CompanyName French labour law No No access provided to data subjects Backup server, Email server, HQ, France None based access control rights on file server (HR, Bank (Societe Generale)
Administration Manager the employment contract signed by the employee CompanyNam inside the company and due to technology
France as per France law physical cabinets, HR rep laptop CEO, Finance & Administration have access to
e France reasons stored also on HQ premises where
these information)
physical servers reside.

There is no cross border transfer of personal

CEO and Finance/Adminnistration manager
To be filled in data and also no frequency we can discuss
Employment contract signed between Talentia HR Tool, File Server, have physical access to locked cabinets, Role
Address, Social Security Address, Social Security number & Place of Birth of the HR representative, Finance & Personal data processing clauses SHOULD BE included in by Bank (Societe Generale), ACME, about. Data is shared with CompanyName HQ
4 HR contracts (existing employees) No Yes employee and CompanyName French labour law No No access provided to data subjects Backup server, Email server, HQ, France None based access control rights on file server (HR,
Number, Place of Birth employee as per document ID Administration Manager the employment contract signed by the employee CompanyNam Pole Emploi inside the company and due to technology
France as per France law physical cabinets, HR rep laptop CEO, Finance & Administration have access to
e France reasons stored also on HQ premises where
these information)
physical servers reside.

There is no cross border transfer of personal

CEO and Finance/Adminnistration manager
To be filled in data and also no frequency we can discuss
Employment contract signed between Talentia HR Tool, File Server, have physical access to locked cabinets, Role
HR representative, Finance & Personal data processing clauses SHOULD BE included in by about. Data is shared with CompanyName HQ
5 HR contracts (existing employees) Role Role in the organization No No employee and CompanyName French labour law No No access provided to data subjects Backup server, Email server, HQ, France None based access control rights on file server (HR, La Creation Imagee, Realiz Grafik
Administration Manager the employment contract signed by the employee CompanyNam inside the company and due to technology
France as per France law physical cabinets, HR rep laptop CEO, Finance & Administration have access to
e France reasons stored also on HQ premises where
these information)
physical servers reside.

Legal, France law : There is no cross border transfer of personal

Processing is necessary To be filled in Data is stored on email server as per HR data and also no frequency we can discuss
Recruiting activities - prospecting Name, Address, Email, Both data subject Prospecting candidates that were part […] in order to take steps by representative inbox. So, the IT department about. Data is shared with CompanyName HQ
6 Name, Address, Email, Personal phone nr. as per CV No HR representative Not applicable No No access provided to data subjects Email server HQ, France None None
CVs Personal Phone nr. and HR agency of the interview process at the request of the data CompanyNam managing the email server may have access to inside the company and due to technology
subject prior to entering e France data reasons stored also on HQ premises where
into a contract physical servers reside.

There is no cross border transfer of personal

To be filled in Payslips are printed for every employee and are Univers Paie - Payslip company data and also no frequency we can discuss
Payslips are printed for every employee and Email server, Printers HDD, Online
3rd part company needs data to by accesible for download in an online storage (external), URSSAF, CNAV, about. Data is shared with CompanyName HQ
7 Payslips Salary Salary of the employee as per employment contract No No Finance Manager French labour law Not applicable No are accessible for download in an oline storage storage location managed by HQ, France None
generate monthly payslips CompanyNam location where every employee has access to his Humanis Retraite, Caisse Primaire, inside the company and due to technology
location CompanyName group
e France data Eunomie Avocats, F2A reasons stored also on HQ premises where
physical servers reside.

There is no cross border transfer of personal

To be filled in Payslips are printed for every employee and are Univers Paie - Payslip company data and also no frequency we can discuss
Payslips are printed for every employee and Email server, Printers HDD, Online
Taxes paid by the employee as per France legislation /social 3rd part company needs data to by accesible for download in an online storage (external), URSSAF, CNAV, about. Data is shared with CompanyName HQ
8 Payslips Taxes No No Finance Manager French labour law Not applicable No are accessible for download in an oline storage storage location managed by HQ, France None
security number generate monthly payslips CompanyNam location where every employee has access to his Humanis Retraite, Caisse Primaire, inside the company and due to technology
location CompanyName group
e France data Eunomie Avocats, F2A reasons stored also on HQ premises where
physical servers reside.

There is no cross border transfer of personal

To be filled in Payslips are printed for every employee and are Univers Paie - Payslip company data and also no frequency we can discuss
Payslips are printed for every employee and Email server, Printers HDD, Online
Medical information if the employee is sick and needs 3rd part company needs data to by accesible for download in an online storage (external), URSSAF, CNAV, about. Data is shared with CompanyName HQ
9 Payslips Medical Data Yes Yes Finance Manager French labour law Not applicable No are accessible for download in an oline storage storage location managed by HQ, France None
medical days off generate monthly payslips CompanyNam location where every employee has access to his Humanis Retraite, Caisse Primaire, inside the company and due to technology
location CompanyName group
e France data Eunomie Avocats, F2A reasons stored also on HQ premises where
physical servers reside.

Physical security reasons - who To be filled in

There is no cross border transfer of personal
Every employee will use the badge when entering enters and leaves CompanyName Consent MUST BE obtained and added as an Annex to by IT representative has access to badge server
10 Badge logging Name No No IT representative Consent needed No No access provided to data subjects Badge server France None Sodexo, Procedo, Cushwake data and also no frequency we can discuss
CompanyName France floor, activity that is being logged France floor is tracked as per badge the employment contract (for ex.) CompanyNam data
about.
ID and name allocation e France

Consent is not obtained! There could be a legitimate To be filled in

Legitimate interest could There is no cross border transfer of personal
Remote access to corporate Employees can log in from remote personal locations to Cybersecurity reasons - all IPs interest and CompanyName France should analyse this by IT department and IT representative have
11 Personal IP address No No IT Manager be taken into account as No No access provided to data subjects Router HDD France None None data and also no frequency we can discuss
resources using VPN client corporate resources using VPN client conecting to remote VPN are logged option and be able to justify it - ex. Legitimate Assessment CompanyNam access to borderline router
a lawful processing about.
Tool e France

09/29/2023 Page 1 of 2 Confidential

 Personal Data Capture Form - Completion Instructions
The intention of this spreadsheet is to map out the capture and use of personal data for one or more business processes
or projects.

The intended meanings of the listed columns are as follows.

Column Meaning
Ref A sequential reference number starting with 1
Project or business process This could be the name of a new project or the name of an existing
business process that processes personal data
Personal data item The actual data involved; this may be a single item or a logical group of
data e.g. "customer name" or "customer name and address"
Description More information about the data item(s), if required
Special category of personal data? Does the personal data fall into one or more of the special categories
defined by the GDPR, namely racial or ethnic origin, political opinions,
religious or philosophical beliefs, or trade union membership, genetic
data, biometric data, data concerning health or data concerning a natural
person's sex life or sexual orientation
Obtained from data subject? Was the data obtained from the data subject directly or was it obtained
from another source, such as a supplied database
Owner The role that is responsible for the personal data
Processing purpose The use that the personal data is put to e.g. "fulfilling a sale" or "sending
marketing information"
Lawful basis of processing The rationale for why the processing is lawful under Article 6 of the
GDPR. Options include consent, contractual and legal.
If consent-based, how is consent obtained? If the lawful basis of the processing is consent, how does the data
subject signify consent and how would this be evidenced?
Automated decision-making? Does the business process involve a decision based solely on
automated processing which may significantly affect the data subject
Level of data subject access What access does the data subject have to their personal data to
exercise their rights e.g review it for accuracy and change it
Location stored The physical place the data reside in e.g. a server or a filing cabinet
Country stored in The country the data are stored in i.e. the physical location of the servers
that hold the data
Retention period How long is the data kept for before being deleted or amended so that it
no longer represents personal data
Encryption level Is appropriate encryption applied to the data
Access controls Are appropriate access controls applied to the data
Third parties shared with Names of third parties with whom the data are shared i.e. those that will
also hold and process the data on their own account (not simply hosting
a storage location that you control)

Comments Any other relevant information

09/29/2023 Page 2 of 2 Confidential