jeffemmett
/
gdpr-compliance-kit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
gdpr-compliance-kit/RECORDS_OF_PROCESSING_ACTIV...

6.6 KiB
Raw Blame History

Records of Processing Activities (ROPA)

Data Controller: Jeff Emmett Last Updated: [DATE] Version: 1.0

This document fulfills the requirement under GDPR Article 30 to maintain records of processing activities.

Overview

Item Details
Controller Name Jeff Emmett
Controller Address 23 Birchpark Dr, L3M 4M9 Grimsby, Canada
Contact Email [YOUR_EMAIL]
Data Protection Officer Not required (< 250 employees, no large-scale processing)
EU Representative Not required (processing not regular/large-scale)

Processing Activity 1: Website Hosting & Analytics

Field Details
Activity Name Website Hosting and Analytics
Purpose Hosting websites, collecting anonymized usage analytics to improve user experience
Legal Basis Legitimate Interest (Art. 6(1)(f)) for basic hosting; Consent (Art. 6(1)(a)) for analytics
Data Subjects Website visitors
Personal Data Categories IP address (anonymized), browser type, pages visited, referrer URL, device type
Special Categories None
Data Sources Direct collection via website
Recipients netcup GmbH (hosting), Cloudflare Inc (CDN), Vercel Inc (analytics)
Third Country Transfers USA (Cloudflare, Vercel) - protected by SCCs/DPA
Retention Period Server logs: 14 days; Analytics: 14 months
Security Measures TLS encryption, access controls, ISO 27001 certified infrastructure

Websites Covered:

  • jeffemmett.com
  • mycofi.earth
  • bondingcurve.tech
  • convictionvoting.xyz
  • decolonizeti.me
  • [Add all your domains]

Processing Activity 2: Newsletter Subscriptions

Field Details
Activity Name Newsletter Management
Purpose Sending newsletters and updates to subscribers
Legal Basis Consent (Art. 6(1)(a)) - explicit opt-in
Data Subjects Newsletter subscribers
Personal Data Categories Email address, name (optional), subscription date, open/click tracking
Special Categories None
Data Sources Direct collection via subscription forms
Recipients Self-hosted (Listmonk on netcup infrastructure)
Third Country Transfers None (self-hosted in Germany)
Retention Period Until unsubscribe + 30 days
Security Measures TLS encryption, authentication required, database encryption

Consent Mechanism:

  • Double opt-in required
  • Clear unsubscribe link in every email
  • Consent records stored with timestamp

Processing Activity 3: Contact Form Submissions

Field Details
Activity Name Contact Form Processing
Purpose Responding to inquiries from website visitors
Legal Basis Legitimate Interest (Art. 6(1)(f)) / Pre-contractual measures (Art. 6(1)(b))
Data Subjects People who submit contact forms
Personal Data Categories Name, email address, message content
Special Categories None
Data Sources Direct submission via website forms
Recipients Self-hosted email (or specify email provider)
Third Country Transfers Depends on email provider
Retention Period 2 years after last communication
Security Measures TLS encryption, spam filtering

Processing Activity 4: User Accounts (if applicable)

Field Details
Activity Name User Account Management
Purpose Providing authenticated access to services
Legal Basis Contract performance (Art. 6(1)(b))
Data Subjects Registered users
Personal Data Categories Email, username, hashed password, account settings
Special Categories None
Data Sources User registration
Recipients Self-hosted only
Third Country Transfers None
Retention Period Account lifetime + 30 days after deletion request
Security Measures Password hashing (bcrypt), session management, 2FA optional

Data Processors (Sub-processors)

Processor Service Location DPA Signed Contact
netcup GmbH Web hosting infrastructure Germany Yes (online) support@netcup.de
Cloudflare, Inc. CDN, DNS, DDoS protection USA (with EU options) Yes (standard) privacy@cloudflare.com
Vercel Inc. Web analytics USA Yes (ToS) privacy@vercel.com

Technical and Organizational Measures (TOMs)

Confidentiality

  • TLS/SSL encryption for all websites
  • Access controls for server infrastructure
  • SSH key authentication (no password auth)
  • Firewall and network segmentation

Integrity

  • Regular backups
  • Version control for code
  • Audit logging

Availability

  • Redundant infrastructure
  • DDoS protection (Cloudflare)
  • Monitoring and alerting

Resilience

  • Disaster recovery procedures
  • Regular backup testing

Data Subject Rights Procedures

Access Requests (Art. 15)

  1. Receive request via email
  2. Verify identity
  3. Compile data within 30 days
  4. Provide data in machine-readable format

Erasure Requests (Art. 17)

  1. Receive request via email
  2. Verify identity
  3. Delete from: databases, backups (when rotated), analytics
  4. Confirm deletion within 30 days

Portability Requests (Art. 20)

  1. Receive request via email
  2. Verify identity
  3. Export data as JSON/CSV
  4. Provide within 30 days

Data Breach Response Plan

Detection

  • Monitoring systems in place
  • Log analysis for anomalies

Assessment (within 24 hours)

  1. Identify scope of breach
  2. Assess risk to data subjects
  3. Document findings

Notification (within 72 hours if required)

  1. Notify supervisory authority if risk to rights/freedoms
  2. Notify affected individuals if high risk
  3. Document all actions

Recovery

  1. Contain breach
  2. Remediate vulnerabilities
  3. Review and update security measures

Review Schedule

Review Type Frequency Last Review Next Review
ROPA Update Annually [DATE] [DATE + 1 year]
Security Audit Annually [DATE] [DATE + 1 year]
Processor Review Annually [DATE] [DATE + 1 year]
Privacy Policy Review Annually [DATE] [DATE + 1 year]

Change Log

Date Version Changes Author
[DATE] 1.0 Initial creation Jeff Emmett

This document should be kept up to date and reviewed at least annually or whenever there are significant changes to processing activities.