Question - GDPR "Processing Records" inputs from community

Hi all

We will have a look into the data flow module to see if we can use it for our GDPR requirements.

One of the requirements is that we must make a Processing Record showing what processes we are using, that are using data-assets having personal data. An what type of personal data and so on…
As I can see the module there is not a link between assets and processes.

My question: How do others in the community comply with GDRP via eramba when we don’t have this link between processes and assets, or using eramba to be compliant with GDPR at all?

This is the meta data from our Processing Record to day:
Proces name:
Purpose purpose:
• Organization
• Legal basis
• Information obligation
• Activity
Categories of data subjects and personal data
• Categories of data subjects
• Categories of personal data
• Categories of third parties
• Transfers to third countries
Technical and organizational security measures
• Retention time
• Data integrity controls
• Access control
• Log management
• Network and encryption
• Data discovery

Thanks for input

Update: The Processing record /requirements is called “Article 30”


Exactly the same question from my side. Such an inventory is mandatory, but to me it looks like it cannot really be built in Eramba? Eramba is rather based on the single data asset. It would be great if the various steps could be connected to one data flow asset (or similar), so we could have the inventory within Eramba.
I know there are some that use Eramba for GDPR as well, I wonder how this has been solved?


there is a link in between business units and each data flow, also third parties

what inventory is mandatory? it would be good to use examples :slight_smile:

The inventory of processing activities. I’ve got a template in form of a questinnaire, but only in german and mostly for the swiss law. It consists of:
Names of responsible / representative / dpo
Purpose of the activity (HR, Finance, logistics, IT, customer relations etc.)
Category of concerned persons (emplyoee, clients, partners, website visitors etc.)
Category of concerned data (name, title, birthday, hobbies, health info, logins, cv data etc.
Category of recipients (group companies, authorities, clients, vendors, public etc)
Countries of recipients (GDPR countries, others with data protection / without )
Terms of deletion
Measures of data security (encryption, password, anonymisation etc)