Opinion on the individual chapters

Chapter 1: General

Article of the GDPR
PIM reference
§ 1 Subject matter and objectives
§ 2 Material scope of application
This Regulation shall apply to the processing of personal data wholly or partly by automatic means and to the processing otherwise than by automatic means of personal data which are stored or are intended to be stored in a filing system.
The user account and audit trail.
§ 3 Spatial scope of application
Processing of personal data in the course of activities within the Union, if the controller or principal is located inside or outside the Union.
All users who do not work on Union territory or territory associated under international law are not affected by the EU GDPR.
§ 4 Definitions

Chapter 2: Principles

Article of the GDPR
PIM reference
§ 5 Principles for the processing of personal data
  • Lawful way
  • Earmarking
  • Data minimization
The users are needed for the mapping of rights and identification in case of queries.
The audit trail is collected for the case of legal relevance.
§ 6 (1) Lawfulness of processing
The processing is lawful only if at least one of the following conditions is met:
(c) processing is necessary for compliance with a legal obligation to which the controller is subject.
(f) processing is necessary for the purposes of protecting the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Ad c)
Relevant if the audit trail is legally necessary.
Ad f)
For the person(s) responsible (the company), the traceability of actions (the audit trail) is of great interest because of the root cause analysis.
§ 7 (1) Conditions for consent
If the processing is based on consent, the controller must be able to prove that the data subject has consented to the processing of his or her personal data.
Since the processing is within the scope of the notified work of a user, specific consent is not necessary.
[see also § 17(1b)]
§ 8 Conditions for the consent of a child in relation to information society services

§ 9 Processing of special categories of personal data
§ 10 Processing of personal data on criminal convictions and criminal offenses
§ 11 Processing for which identification of the data subject is not required

Chapter 3: Rights of the data subject

Article of the GDPR
PIM reference
§ 12 Transparent information, communication and modalities for exercising the rights of the data subject
Since the personal data is part of the notified work, transparency is guaranteed.
§ Section 13 Duty to provide information when collecting personal data from the data subject
Since the user access generated the audit trail himself, a duty to provide information is not relevant. The user account contains little more than the rights and preferences he needs for his work.
§ Section 14 Duty to provide information if the personal data have not been collected from the data subject
This is not relevant for PIM application data, as this can only occur for user data; unless a user account is created and possibly used without the knowledge of the data subject....
§ 15 Right to information of the data subject

For PIM, this is only relevant for the information stored at the user account; the audit trail has been generated by the user himself.
§ 16 Right to rectification
This only affects the information at the user, since the audit trail data is generated by the user himself through his activities.
§ 17 Right to erasure (right to be forgotten)
The right to deletion does not apply if there is a legal basis [employment contract] {1b} or in case of/for the defense of legal claims {3e}.
§ 18 Right to restriction of processing
The right to restrict processing does not apply if the data would be needed to clarify legal claims {1c} or in case of objection to processing, content of § 21 (1) {1d}.
§ Section 19 Duty of notification in connection with the correction or deletion of personal data or the restriction of processing
Here it must be clarified whether this is regulated in the company's information process.
§ 20 Right to data portability
Whether the individual has the right to data portability depends on several factors: What data is at issue, application data or user data, and is that data authorized for disclosure to unauthorized third parties.
§ 21 Right of objection
See § 6 "lawful processing" and § 7 "consent".
§ 22 Automated decisions in individual cases including profiling
Profiling is only possible to a limited extent in the PIM, since only access to specific revisions of a version is possible. Real profiling is only possible by reading out the DB directly.
§ 23 Restrictions
The listed restrictions such as national security, national defense, public security, etc. can only be related to the personal data through the company data and the actions on it. Then § 7 applies.
Zuletzt bearbeitet am 29.06.2022 12:06.