Under GDPR Article 30, which organizations must maintain Records of Processing Activities?

All organizations processing special category data, regardless of size

What is the correct legal basis for processing health data for medical treatment?

Medical Necessity (Article 9(2)(h))

Which elements must be included in a ROPA entry? (Select all that apply)

Purposes of processing Additionally, Categories of personal data Additionally, Retention periods

Data Mapping and Records of Processing

Master the Data Flow Diagram tool to map every processing activity in your organization - from initial data collection through retention and deletion. Learn to document legal bases correctly, identify all data categories, map flows to third-party processors, and maintain the living document that proves your GDPR accountability.

What You'll Learn

Recognize common cybersecurity threats
Respond appropriately to security incidents
Protect sensitive information
Follow security best practices
Report suspicious activities

Training Steps

Introduction

You are Alice, the Data Protection Officer at Meridian Healthcare Solutions - a mid-sized healthcare provider operating across Germany. As a healthcare organization processing sensitive patient data, maintaining accurate Records of Processing Activities is not optional - it is a legal requirement under GDPR Article 30. Today marks the beginning of your annual ROPA review. The supervisory authority has announced increased scrutiny of healthcare organizations, and you need to ensure every processing activity is properly documented.
Article 30 Requirements

GDPR Article 30 requires controllers to maintain written records containing: Name and contact details of the controller Purposes of processing Categories of data subjects and personal data Categories of recipients Transfers to third countries (if any) Retention periods Technical and organizational security measures Healthcare data adds complexity - you must also document legal bases for processing special category health data under Article 9.
Opening the Data Flow Diagram

You open the Data Governance Portal to access the Data Flow Diagram tool. This portal allows you to visualize all data processing activities at Meridian Healthcare - every system that processes personal data, how data flows between them, and the legal basis for each processing activity.
Understanding the Diagram

The Data Flow Diagram displays all entities involved in processing personal data at Meridian Healthcare. Each node represents a system, person, or organization. The lines between nodes show how data flows. Different colors indicate different types of entities: Blue - Data subjects (patients) Green - Controllers (your systems) Orange - Processors (third parties acting on your behalf) Purple - Third parties (independent recipients)
Identifying the Data Subject

Every ROPA entry begins with identifying the data subjects. In healthcare, the primary data subjects are patients. You need to document what categories of personal data you collect from them and ensure you have a valid legal basis for each category.
Patient Data Categories

The Patient node reveals the categories of personal data collected: Identity data (name, date of birth, national ID) Contact details (address, phone, email) Health records - special category data Insurance information Health records require a specific legal basis under Article 9 - standard consent or legitimate interest is not sufficient for special category data.
Tracing Data Collection

You need to document how patient data enters your organization. There are two primary collection points - the Patient Portal for registration and consent, and direct clinical intake for health records. Each entry point needs documented legal basis and purpose.
Documenting Patient Registration

The first processing activity to document is Patient Registration. When patients create accounts through the portal, you collect identity and contact data, and record their consent preferences. The legal bases are: Consent - for marketing communications Contract - for service delivery Retention: Duration of patient relationship plus 10 years for medical record obligations.
Highlighting Registration Activity

The Patient Registration processing activity is now highlighted. This is a critical ROPA entry because it establishes the consent records that support downstream processing. Without proper registration documentation, you cannot prove valid consent was obtained.
Clinical Care Processing

The core processing activity at any healthcare organization is clinical care delivery. This involves processing special category health data - diagnoses, treatments, prescriptions, and clinical notes. The legal basis is Medical Necessity under Article 9(2)(h), which permits processing necessary for medical diagnosis or treatment.

Knowledge Check Questions

This training includes a 6-question quiz to test your understanding of Security Awareness threats and defenses.

Under GDPR Article 30, which organizations must maintain Records of Processing Activities?
What is the correct legal basis for processing health data for medical treatment?
Which elements must be included in a ROPA entry? (Select all that apply)
What document must be in place with data processors under Article 28?
What distinguishes a data processor from a third-party controller?