Gestiona RGPD/Manage GDPR

This tool is aimed at data controller and processor, as well as DPOs, on basic aspects that must be taken into account, prior to carrying out adequate risk management for rights and freedoms in relation to the protection of personal data.

Gestiona RGPD/Manage GDPR allows to manage the Records of Processing Activities of an entity, with up to 500 processing, in an integrated way. It even allows you to manage the Records of different entities. At the same time, it incorporates the functionalities of the Evalua_Riesgo2 tool to perform the risk analysis and the evaluation of the obligation (or convenience) of carrying out a DPIA.

In the case of Gestiona RGPD/Manage GDPR, the functionalities are extended to allow risk management with privacy measures suggested by the tool for each specific risk factor identified, measures for the management of personal data breaches and security, and organizational measures and data protection policies. In turn, it allows, in the case of DPIA, to document the suitability, necessity and proportionality assessments.

All risk management information is associated with each processing operation. In addition, Gestiona RGPD/Manage GDPR allows you to generate reports on the Records of Processing Activities, and reports with additional risk management information. The reports can be generated in "doc" and "html" format, as well as in "csv" for export and use in other tools.

The management of the processing is carried out in the user's own browser, without any transmission of data to the AEPD and with total confidentiality. The information can be stored in a file on the user's computer and retrieved after each session, allowing different versions of the management information.

The use of this tool should be carried out without prejudice to the indications established  in the guide Risk management and impact assessment in personal data processing and the  Checklist for determining the formal adequacy of a DPIA and the submission of prior consultation.

In no case does the use of this tool imply the implementation of a risk management or a DPIA. Gestiona RGPD/Manage GDPR, in its state of evolution, is the starting point to begin risk management.

The mere obtaining of the documents provided by the AEPD tools does not imply, in any case, the automatic compliance with the obligations that the GDPR establish for those controllers and processors of the processing of personal data, in particular regarding the principle of accountability that the GDPR develops in its Chapter IV. These are initial help documents aimed at facilitating the understanding of these obligations and to address them, initially, in an appropriate manner.

On the basis of the documents obtained, controllers and processors of personal data must carry out any necessary adaptations on a case-by-case basis for each processing of personal data, taking into account the risks to the rights and freedoms of natural persons that may result from such processing in accordance with its nature, scope, context and purposes (Recital 76 and Article 35.1 of the GDPR).

Under no circumstances can this tool be understood as a way of applying the security measures required by Article 32 of the GDPR, to this end, standards of recognized prestige already existing in the market must be used.

In general, the General Data Protection Regulation (GDPR) requires personnel responsible for the management of personal data processing to carry out risk analyses and impact assessments in order to manage the risks to the rights and freedoms of natural persons. Moreover, the AEPD has published  the list of  personal data processing operations that require an impact assessment in accordance with the provisions of article 35.4 of the GDPR. It should be noted that both the lists of processing operations and the result of the tool do not limit the obligations of the controller who, in those cases in which there is no obligation to carry out a DPIA, may determine the need to carry it out depending on the particularities of each specific processing operation.

Gestiona RGPD/Manage GDPR is a free tool that guides the user through the basic elements that must be taken into account prior to carrying out risk management and impact assessment.  Gestiona RGPD/Manage GDPR is more than a closed list of elements to be taken into account and provides the basis to initiate risk analysis and management activities in the scope of the GDPR. Please note that, in no case can the compliance requirements be replaced by alternative technical or organizational measures, for more information you can consult the List of elements for GDPR compliance. In this sense, the DPIA should not be understood as an opportunity to carry out personal data processing that does not pass the proportionality and necessity analysis or is contrary to any of the data protection principles.

Therefore, Gestiona RGPD/Manage GDPR is a tool to help and support the decision and whose use generates the basic documentation and, in no case exhaustive, on which a risk analysis and management must be carried out by the controller and processor to comply with the provisions of the GDPR. This basic documentation will be a starting point that must be completed and analyzed by the controller and, where appropriate, the processor, following the indications established guide Risk management and impact assessment in personal data processing, in order to demonstrate at all times that the processing is carried out in accordance with the requirements established by the GDPR.

Link to the tool

User Manual