Data Privacy Module

Processing activities · Data inventory · Data flows · GDPR / FADP

1. Processing activity

2. Personal data

3. Assets

4. Third parties

5. Frameworks

6. Data flows

Step 1: Create a processing activity (PA) — the central object in the ROPA (Record of Processing Activities). Define what data is processed, why, and under which legal basis.

Processing activity

Employee payroll processing

Reference

PA-003

Purpose

Monthly salary calculation, tax withholding, social insurance contributions

Managing organisation

HR Department

Process owner

Marie Laurent

Retention

10 years

Workflow status

Draft

→

In review

→

Approved

→

Needs update

Step 2: Define which personal data is collected. Each entry links a data subject category to specific data elements and a data classification.

Data subject categories

SubjectEmployees

SubjectContractors

Data elements collected

IdentityFull nameStandard

IdentitySocial insurance number (AHV)Sensitive

FinancialBank account (IBAN)Sensitive

FinancialSalary amountConfidential

ContactHome addressStandard

TaxTax identification numberSensitive

Step 3: Map which assets store, process, or collect personal data. Primary assets represent the data source (e.g. "Employee Data"), supporting assets are the systems that host it (e.g. SAP HR).

Primary assets (data sources)

DA-001Employee master dataPrimary

Supporting assets (systems)

AST-012SAP HR (HCM)System

AST-034Azure SQL databaseDatabase

AST-041Payroll portalApplication

Data element hosting

Salary amountfromEmployee master datahosted inSAP HR

IBANfromEmployee master datahosted inSAP HR

AHV numberfromEmployee master datahosted inAzure SQL

Step 4: Identify third parties that receive personal data. Track their processing role, DPA status, and international transfer safeguards.

TP-005SwissSalary AGProcessor

TP-011Federal tax authorityController

TP-018AXA pension fundProcessor

Third-party privacy details

SwissSalary AG

DPA signed

Transfer country

Switzerland (adequate)

Safeguard

N/A — domestic

AXA pension fund

DPA signed

Transfer country

Switzerland (adequate)

Safeguard

N/A — domestic

Step 5: Assign applicable privacy frameworks (GDPR, Swiss FADP) and set the legal basis for processing under each framework.

Art. 6(1)(b) — performance of a contractEmployment contract

Art. 6(1)(c) — legal obligationTax and social insurance law

LPDArt. 31(1) — contract performanceEmployment relationship

LPDArt. 31(2)(b) — legal obligationSwiss social insurance (AHVG)

Step 6: The data flow visualization shows how personal data moves from data subjects through your systems to third parties — auto-generated from the relationships you defined in steps 1–5.

Employees & contractors

PA-003 Employee payroll

SAP HR (HCM)

Azure SQL

Payroll portal

SwissSalary AG

Tax authority

AXA pension

Processing activities

1,812

Personal data records

Assets with personal data

Frameworks (GDPR + FADP)