Skip to main content

📊 Article 30 GDPR Data Processing Register

Processing Activity Registry​

This register documents all data processing activities conducted by Healthcare Manufaktur GmbH in accordance with Article 30 of the GDPR.

Category A: Customer Relationship Management​

Processing Details​

Activity Name: Customer Relationship Management (CRM)
Controller: Healthcare Manufaktur GmbH
Processing Purpose: Customer relationship management, service delivery, and business development
Legal Basis: Article 6(1)(b) GDPR - Contract performance

Data Categories​

Personal Data Types:

  • Contact information (name, email, phone, address)
  • Company information and professional role
  • Communication preferences and history
  • Service requirements and specifications
  • Contract details and billing information
  • Interaction logs and correspondence

Special Categories: None processed in this category

Data Subjects​

  • Current business customers
  • Prospective customers and leads
  • Partner organization contacts
  • Supplier contacts
  • Conference and event contacts

Data Recipients​

Internal Recipients:

  • Sales and business development team
  • Customer service representatives
  • Technical support staff
  • Executive management (for strategic accounts)

External Recipients:

  • CRM system provider (Salesforce/HubSpot)
  • Email marketing service provider
  • Customer support platform provider
  • Analytics and reporting service providers

International Transfers​

Transfer Destinations: United States, United Kingdom
Transfer Mechanism: Standard Contractual Clauses (SCCs)
Safeguards: Encryption in transit and at rest, access controls, audit logging

Retention Period​

Standard Retention: 7 years after contract termination
Legal Justification: German commercial law (HGB) and tax law (AO) requirements
Deletion Process: Automated deletion after retention period expires

Security Measures​

  • Multi-factor authentication for system access
  • Role-based access controls
  • Encryption of data at rest (AES-256)
  • Encrypted communication channels (TLS 1.3)
  • Regular access reviews and audit logging
  • Data loss prevention (DLP) monitoring

Category B: Employee Data Management​

Processing Details​

Activity Name: Human Resources Management
Controller: Healthcare Manufaktur GmbH
Processing Purpose: Employment relationship management, payroll, performance management
Legal Basis: Article 6(1)(b) Contract performance, Article 6(1)(c) Legal obligation

Data Categories​

Personal Data Types:

  • Personal identification (name, address, ID numbers)
  • Employment information (position, salary, benefits)
  • Performance evaluations and development records
  • Time and attendance records
  • Emergency contact information
  • Bank account details for payroll

Special Categories:

  • Health data for sick leave and occupational health (Article 9(2)(b))
  • Disability information for accommodation purposes (Article 9(2)(b))

Data Subjects​

  • Current employees (full-time, part-time, contractors)
  • Former employees (for legal retention periods)
  • Job applicants (during recruitment process)
  • Employee emergency contacts

Data Recipients​

Internal Recipients:

  • Human Resources department
  • Direct supervisors and management
  • Payroll processing team
  • IT department (for system access management)

External Recipients:

  • Payroll service provider
  • Benefits administration provider
  • Occupational health services
  • Tax authorities and social security institutions
  • Employee assistance program providers

International Transfers​

Transfer Destinations: Limited to EU/EEA countries only
Transfer Mechanism: Not applicable (adequacy)
Safeguards: Standard organizational and technical measures

Retention Period​

Standard Retention: 10 years after employment termination
Legal Justification: German employment law and social security requirements
Health Records: 40 years (occupational health regulations)

Security Measures​

  • Segregated HR systems with enhanced access controls
  • Dedicated encryption keys for sensitive HR data
  • Physical security for paper records
  • Regular HR audit and compliance reviews
  • Confidentiality agreements for HR staff

Category C: Healthcare Data Analytics​

Processing Details​

Activity Name: Healthcare Data Platform Operations
Controller: Healthcare Manufaktur GmbH
Processing Purpose: Healthcare analytics, research support, platform development
Legal Basis: Article 6(1)(f) Legitimate interest, Article 9(2)(j) Scientific research

Data Categories​

Personal Data Types:

  • Pseudonymized patient identifiers
  • Healthcare professional credentials
  • System usage analytics
  • Platform interaction logs
  • Research dataset metadata

Special Categories:

  • Pseudonymized health data for analytics (Article 9(2)(j))
  • Professional certification information
  • Research participation consent records

Data Subjects​

  • Healthcare professionals using the platform
  • Research participants (pseudonymized)
  • Platform administrators and users
  • Data contributors and researchers

Data Recipients​

Internal Recipients:

  • Development and engineering teams
  • Data science and analytics teams
  • Quality assurance and compliance teams
  • Research collaboration partners

External Recipients:

  • Authorized research institutions
  • Healthcare analytics service providers
  • Cloud infrastructure providers (AWS, Azure)
  • Data visualization and reporting platforms

International Transfers​

Transfer Destinations: United States (cloud providers), Switzerland (research partners)
Transfer Mechanism: Standard Contractual Clauses, Adequacy Decision (Switzerland)
Safeguards: Advanced encryption, pseudonymization, access controls

Retention Period​

Standard Retention: As specified in individual research agreements
Minimum Period: 10 years (research data retention requirements)
Deletion Process: Secure deletion with certificate of destruction

Security Measures​

  • Advanced pseudonymization and anonymization techniques
  • Multi-layered encryption (application, database, storage)
  • Strict access controls with audit logging
  • Data minimization and purpose limitation enforcement
  • Regular security assessments and penetration testing

Category D: Marketing & Communications​

Processing Details​

Activity Name: Marketing Communications and Business Development
Controller: Healthcare Manufaktur GmbH
Processing Purpose: Marketing communications, event management, business development
Legal Basis: Article 6(1)(a) Consent, Article 6(1)(f) Legitimate interest

Data Categories​

Personal Data Types:

  • Contact information (name, email, phone, company)
  • Professional interests and preferences
  • Event attendance and participation history
  • Website interaction and engagement data
  • Communication preferences and opt-out status

Special Categories: None processed in this category

Data Subjects​

  • Newsletter subscribers
  • Event attendees and registrants
  • Website visitors and prospects
  • Social media followers and contacts
  • Business networking contacts

Data Recipients​

Internal Recipients:

  • Marketing and communications team
  • Business development representatives
  • Event management staff
  • Content creation team

External Recipients:

  • Email marketing platform provider
  • Event management service providers
  • Website analytics services
  • Social media management platforms
  • Marketing automation tools

International Transfers​

Transfer Destinations: United States (marketing platforms)
Transfer Mechanism: Standard Contractual Clauses
Safeguards: Consent management, unsubscribe mechanisms, data minimization

Retention Period​

Consent-Based: Until consent withdrawal
Legitimate Interest: 3 years after last interaction
Event Data: 2 years after event completion

Security Measures​

  • Consent management platform integration
  • Automated unsubscribe and preference management
  • Regular consent review and reconfirmation
  • Marketing data segregation and access controls
  • Suppression list management for opt-outs

Register Maintenance​

Update Procedures​

  • Monthly Review: Regular review of processing activities for changes
  • New Activity Assessment: DPIA requirement evaluation for new processing
  • Legal Basis Review: Annual review of legal basis validity
  • Retention Review: Quarterly review of retention periods and deletion schedules

Compliance Monitoring​

  • Access Logging: All register access logged and monitored
  • Change Management: Documented approval process for register changes
  • Audit Trail: Complete history of register modifications
  • Regular Reporting: Quarterly register compliance reporting to management

Documentation Standards​

  • Standardized Format: Consistent documentation format across all activities
  • Evidence Collection: Supporting documentation for all register entries
  • Regular Updates: Systematic review and update procedures
  • Version Control: Maintained version history with approval workflows

This register is maintained by the Data Security Officer and reviewed quarterly to ensure accuracy and completeness.

Next: Review Processing Categories

Contents