207 lines
6.6 KiB
Markdown
207 lines
6.6 KiB
Markdown
# Records of Processing Activities (ROPA)
|
|
|
|
**Data Controller:** Jeff Emmett
|
|
**Last Updated:** [DATE]
|
|
**Version:** 1.0
|
|
|
|
This document fulfills the requirement under GDPR Article 30 to maintain records of processing activities.
|
|
|
|
---
|
|
|
|
## Overview
|
|
|
|
| Item | Details |
|
|
|------|---------|
|
|
| **Controller Name** | Jeff Emmett |
|
|
| **Controller Address** | 23 Birchpark Dr, L3M 4M9 Grimsby, Canada |
|
|
| **Contact Email** | [YOUR_EMAIL] |
|
|
| **Data Protection Officer** | Not required (< 250 employees, no large-scale processing) |
|
|
| **EU Representative** | Not required (processing not regular/large-scale) |
|
|
|
|
---
|
|
|
|
## Processing Activity 1: Website Hosting & Analytics
|
|
|
|
| Field | Details |
|
|
|-------|---------|
|
|
| **Activity Name** | Website Hosting and Analytics |
|
|
| **Purpose** | Hosting websites, collecting anonymized usage analytics to improve user experience |
|
|
| **Legal Basis** | Legitimate Interest (Art. 6(1)(f)) for basic hosting; Consent (Art. 6(1)(a)) for analytics |
|
|
| **Data Subjects** | Website visitors |
|
|
| **Personal Data Categories** | IP address (anonymized), browser type, pages visited, referrer URL, device type |
|
|
| **Special Categories** | None |
|
|
| **Data Sources** | Direct collection via website |
|
|
| **Recipients** | netcup GmbH (hosting), Cloudflare Inc (CDN), Vercel Inc (analytics) |
|
|
| **Third Country Transfers** | USA (Cloudflare, Vercel) - protected by SCCs/DPA |
|
|
| **Retention Period** | Server logs: 14 days; Analytics: 14 months |
|
|
| **Security Measures** | TLS encryption, access controls, ISO 27001 certified infrastructure |
|
|
|
|
### Websites Covered:
|
|
- jeffemmett.com
|
|
- mycofi.earth
|
|
- bondingcurve.tech
|
|
- convictionvoting.xyz
|
|
- decolonizeti.me
|
|
- [Add all your domains]
|
|
|
|
---
|
|
|
|
## Processing Activity 2: Newsletter Subscriptions
|
|
|
|
| Field | Details |
|
|
|-------|---------|
|
|
| **Activity Name** | Newsletter Management |
|
|
| **Purpose** | Sending newsletters and updates to subscribers |
|
|
| **Legal Basis** | Consent (Art. 6(1)(a)) - explicit opt-in |
|
|
| **Data Subjects** | Newsletter subscribers |
|
|
| **Personal Data Categories** | Email address, name (optional), subscription date, open/click tracking |
|
|
| **Special Categories** | None |
|
|
| **Data Sources** | Direct collection via subscription forms |
|
|
| **Recipients** | Self-hosted (Listmonk on netcup infrastructure) |
|
|
| **Third Country Transfers** | None (self-hosted in Germany) |
|
|
| **Retention Period** | Until unsubscribe + 30 days |
|
|
| **Security Measures** | TLS encryption, authentication required, database encryption |
|
|
|
|
### Consent Mechanism:
|
|
- Double opt-in required
|
|
- Clear unsubscribe link in every email
|
|
- Consent records stored with timestamp
|
|
|
|
---
|
|
|
|
## Processing Activity 3: Contact Form Submissions
|
|
|
|
| Field | Details |
|
|
|-------|---------|
|
|
| **Activity Name** | Contact Form Processing |
|
|
| **Purpose** | Responding to inquiries from website visitors |
|
|
| **Legal Basis** | Legitimate Interest (Art. 6(1)(f)) / Pre-contractual measures (Art. 6(1)(b)) |
|
|
| **Data Subjects** | People who submit contact forms |
|
|
| **Personal Data Categories** | Name, email address, message content |
|
|
| **Special Categories** | None |
|
|
| **Data Sources** | Direct submission via website forms |
|
|
| **Recipients** | Self-hosted email (or specify email provider) |
|
|
| **Third Country Transfers** | Depends on email provider |
|
|
| **Retention Period** | 2 years after last communication |
|
|
| **Security Measures** | TLS encryption, spam filtering |
|
|
|
|
---
|
|
|
|
## Processing Activity 4: User Accounts (if applicable)
|
|
|
|
| Field | Details |
|
|
|-------|---------|
|
|
| **Activity Name** | User Account Management |
|
|
| **Purpose** | Providing authenticated access to services |
|
|
| **Legal Basis** | Contract performance (Art. 6(1)(b)) |
|
|
| **Data Subjects** | Registered users |
|
|
| **Personal Data Categories** | Email, username, hashed password, account settings |
|
|
| **Special Categories** | None |
|
|
| **Data Sources** | User registration |
|
|
| **Recipients** | Self-hosted only |
|
|
| **Third Country Transfers** | None |
|
|
| **Retention Period** | Account lifetime + 30 days after deletion request |
|
|
| **Security Measures** | Password hashing (bcrypt), session management, 2FA optional |
|
|
|
|
---
|
|
|
|
## Data Processors (Sub-processors)
|
|
|
|
| Processor | Service | Location | DPA Signed | Contact |
|
|
|-----------|---------|----------|------------|---------|
|
|
| netcup GmbH | Web hosting infrastructure | Germany | Yes (online) | support@netcup.de |
|
|
| Cloudflare, Inc. | CDN, DNS, DDoS protection | USA (with EU options) | Yes (standard) | privacy@cloudflare.com |
|
|
| Vercel Inc. | Web analytics | USA | Yes (ToS) | privacy@vercel.com |
|
|
|
|
---
|
|
|
|
## Technical and Organizational Measures (TOMs)
|
|
|
|
### Confidentiality
|
|
- [x] TLS/SSL encryption for all websites
|
|
- [x] Access controls for server infrastructure
|
|
- [x] SSH key authentication (no password auth)
|
|
- [x] Firewall and network segmentation
|
|
|
|
### Integrity
|
|
- [x] Regular backups
|
|
- [x] Version control for code
|
|
- [x] Audit logging
|
|
|
|
### Availability
|
|
- [x] Redundant infrastructure
|
|
- [x] DDoS protection (Cloudflare)
|
|
- [x] Monitoring and alerting
|
|
|
|
### Resilience
|
|
- [x] Disaster recovery procedures
|
|
- [x] Regular backup testing
|
|
|
|
---
|
|
|
|
## Data Subject Rights Procedures
|
|
|
|
### Access Requests (Art. 15)
|
|
1. Receive request via email
|
|
2. Verify identity
|
|
3. Compile data within 30 days
|
|
4. Provide data in machine-readable format
|
|
|
|
### Erasure Requests (Art. 17)
|
|
1. Receive request via email
|
|
2. Verify identity
|
|
3. Delete from: databases, backups (when rotated), analytics
|
|
4. Confirm deletion within 30 days
|
|
|
|
### Portability Requests (Art. 20)
|
|
1. Receive request via email
|
|
2. Verify identity
|
|
3. Export data as JSON/CSV
|
|
4. Provide within 30 days
|
|
|
|
---
|
|
|
|
## Data Breach Response Plan
|
|
|
|
### Detection
|
|
- Monitoring systems in place
|
|
- Log analysis for anomalies
|
|
|
|
### Assessment (within 24 hours)
|
|
1. Identify scope of breach
|
|
2. Assess risk to data subjects
|
|
3. Document findings
|
|
|
|
### Notification (within 72 hours if required)
|
|
1. Notify supervisory authority if risk to rights/freedoms
|
|
2. Notify affected individuals if high risk
|
|
3. Document all actions
|
|
|
|
### Recovery
|
|
1. Contain breach
|
|
2. Remediate vulnerabilities
|
|
3. Review and update security measures
|
|
|
|
---
|
|
|
|
## Review Schedule
|
|
|
|
| Review Type | Frequency | Last Review | Next Review |
|
|
|-------------|-----------|-------------|-------------|
|
|
| ROPA Update | Annually | [DATE] | [DATE + 1 year] |
|
|
| Security Audit | Annually | [DATE] | [DATE + 1 year] |
|
|
| Processor Review | Annually | [DATE] | [DATE + 1 year] |
|
|
| Privacy Policy Review | Annually | [DATE] | [DATE + 1 year] |
|
|
|
|
---
|
|
|
|
## Change Log
|
|
|
|
| Date | Version | Changes | Author |
|
|
|------|---------|---------|--------|
|
|
| [DATE] | 1.0 | Initial creation | Jeff Emmett |
|
|
|
|
---
|
|
|
|
*This document should be kept up to date and reviewed at least annually or whenever there are significant changes to processing activities.*
|