Tabella dei contenuti
Risk analysis
What it is and what it is for
The risk analysis questionnaire is a structured tool, associated with each purpose, through which the party that receives the data accurately describes the purpose of processing, methods of access and use, data categories, retention periods, and the organizational and technical measures applied.
It serves to:
- Document compliance with the privacy framework (principle of accountability) and formalize the declarant’s responsibilities;
- Enable the producer to assess the consistency and lawfulness of data consumption with respect to the requested e-service;
- Ensure traceability and transparency of the declared operations, supporting the overall governance of the National Digital Data Platform (PDND).
Why it must be completed
The risk analysis questionnaire has been introduced in the PDND to implement the GDPR guidelines on personal data protection. The Italian Data Protection Authority (Garante per la protezione dei dati personali) has expressed a favorable opinion on the questionnaire.
Who must complete it
The party receiving the data from the other party — in GDPR terms, the data controller — completes the risk analysis.
- Direct producing (the e-service produces data): the consumer receives the data and completes the risk analysis.
- Reverse producing (the e-service consumes data): the producer receives the data and completes the risk analysis. When the consumer creates a purpose for such an e-service, they select the corresponding use case; the producer processes the data in compliance with what is declared in the selected purpose.
The mode of the e-service is indicated in the essential information. More details are available in the dedicated section.
Responsibility
The responsibility for the declarations made in the risk analysis lies with the party that completes it, which processes the data in accordance with its own statements. To ensure accuracy and traceability, the purpose must be submitted by a user with an administrator role.
Personal data
During the e-service publication phase, the producer is required to complete a specific field declaring whether the service involves the processing (provision or reception) of personal data.
Obligation for the consumer
The producer's declaration binds the consumer during the compilation of the risk analysis. If the producer has indicated that personal data will be processed, the consumer must mandatorily select "Yes" in response to the question: "Indicate whether personal data is accessed."
Obligation for the producer
In the case of reverse delivery, where the e-service involves the reception (rather than the provision) of data, the producer itself must comply with and apply this requirement in its own risk analysis.
Next page → Client
Hai bisogno di aiuto?
Apri un ticket utilizzando l’apposita funzione all’interno della tua Area Riservata
