Skip to main content
CENEDRIL MANUAL
Open Cenedril
Data Privacy Assistant · Transfers & TOMs

Document data transfers & TOMs

Updated on 3 min Open in Cenedril

Goal Document internal and external data transfers with third-country safeguards and assign the right technical and organizational measures to each processing activity.

In the Data Privacy Assistant you first use the Data Transfers step to document how personal data flows internally and to third parties, and to record the safeguards needed for transfers to third countries. The following Technical and Organizational Measures step then maps the right safeguards to each processing activity in a matrix. Both steps draw on the recipients and activities from your record of processing activities (ROPA).

Document data transfers

Open the Data Transfers step

Open the Data Privacy Assistant and use the step navigation to go to Data Transfers. The page shows two tables: Internal Recipients and External Recipients. Both are populated automatically from the recipients in your record of processing activities.

The Data Transfers step with the tables for internal and external recipients.

Review internal transfers

In the Internal Recipients table, expand a row and enter the country and the chosen safeguard mechanism. Internal recipients are units inside your organization that data is shared with.

Capture external recipients and processing

Open a row in the External Recipients table. Here you record the recipient’s role, for example (Sub-)Processors, Public Authority or Other, and the status of the data processing agreement (DPA), from Signed/Confirmed through Pending and Not Required to Missing.

Record third-country transfers and the TIA

For an external recipient, mark the transfer as going to a third country if the data leaves the European Economic Area. The assistant then reveals the fields for the appropriate safeguards and for the Transfer Impact Assessment (TIA). The information icon opens the guidance on third countries.

An external recipient row with role, DPA status and the revealed fields for third countries and the TIA.

Save the transfers and continue

Click Save. The assistant validates your entries, saves the transfers, and hands compliant external transfers over to the documentation. The flow then moves on to the next step, the Data Protection Impact Assessment.

Result: all internal and external transfers are documented, third-country cases carry their safeguards, and the compliant transfers are stored as records in the documentation.

Define the technical and organizational measures

Open the TOMs step

Use the step navigation to go to Technical and Organizational Measures. The page shows a matrix: the rows are the available controls, the columns are your processing activities.

The TOMs matrix with controls in the rows and processing activities in the columns.

Filter and search controls

Narrow the matrix with the chips All Controls, Data Protection Controls and Security Controls. Data protection controls are shown in blue (prefix PC), security controls in green (prefix RC). Use the Search controls field to find a specific measure quickly.

Map measures to activities

Assign a measure to an activity by activating the corresponding cell. When an activity column carries the DPIA marker, a Data Protection Impact Assessment was completed for it: review the assignment here especially carefully.

Save the TOMs

Click Save. The assistant stores the assignment as a Statement of Applicability and carries it into the rest of your documentation.

Result: every processing activity carries the technical and organizational measures assigned to it, and the Statement of Applicability is ready as evidence of your safeguards.

Frequently asked questions

Where do the recipients in the transfer tables come from?

The internal and external recipients are taken automatically from your record of processing activities (ROPA). Every recipient you assigned to an activity there appears here as a row. If a recipient is missing, add it in the ROPA step first.

What is a third country and when do I need safeguards?

Third countries are countries outside the European Economic Area without an adequacy decision from the EU Commission. Transfers to them require appropriate safeguards under Chapter V of the GDPR, such as standard contractual clauses. When you mark a third-country transfer for an external recipient, the assistant reveals the fields for the Transfer Impact Assessment (TIA).

What is the difference between data protection and security controls in the TOMs matrix?

Data protection controls (prefix PC) are shown in blue and cover measures such as purpose limitation or deletion concepts. Security controls (prefix RC) are shown in green and cover technical safeguards such as encryption or access control. The filter chips above the matrix let you show one group at a time.

Do I have to set each measure separately for each activity?

No. The eye icon in a control row activates a measure for all activities at once. You can then deselect individual cells where the measure does not apply.

What does the DPIA marker above an activity column mean?

It indicates that a Data Protection Impact Assessment was completed for that processing activity in the previous step. This helps you decide the assigned measures especially carefully for higher-risk activities.

Data Privacy Assistant

Verzeichnis von Verarbeitungstätigkeiten (ROPA) erstellen

So legen Sie im Datenschutz-Assistenten von Cenedril ein Verzeichnis von Verarbeitungstätigkeiten nach Art. 30 DSGVO an und prüfen es gegen Ihre Assets.

Data Privacy Assistant

Datenschutz-Folgenabschätzung (DSFA/DPIA) durchführen

So führen Sie in Cenedril eine Datenschutz-Folgenabschätzung für risikoreiche Verarbeitungstätigkeiten durch: von Notwendigkeit über Risikobewertung bis zur Konsultation.

Data Privacy Assistant

AVV/DPA verwalten

So erzeugen Sie im Datenschutz-Assistenten von Cenedril aus Ihrem Verzeichnis von Verarbeitungstätigkeiten und den Datentransfers einen AVV-Entwurf nach Art. 28 DSGVO.