Consider the following GDPR tips, regarding which personal data is collected:
•GDPR Article 15 enforces the right of access by the data subject, which, as summarized in the Introductory concepts of GDPR, emphasizes on asking for clarifications about which personal data is being managed, where it is stored or accessed from, its purpose, category or who is it disclosed to.
Personal data which is collected through process applications (i.e., either by direct end user input in processes, or through application integration) is stored in entities defined by customers themselves (typically, master type entities).
Personal data which is collected through the default shipped-in fields for end users (i.e., whenever an admin manages end users) is stored in a predefined system entity of Bizagi called the WFUser entity.
This entity does not depend on how each customer designs processes.
Data stored in master entities
Master entities store business information related to the process as such, for instance: information about the request and/or details about a contact, customer or patient. All master entities are entirely defined by the customers, according to what information each process needs.
Further information about master entities is available at http://help.bizagi.com/bpm-suite/en/index.html?expert_master.htm.
The following sample image highlights attributes which are custom defined in a process data model:
In the image above, note that master entities are displayed with a bluish color in their header.
Consider that it is recommended to be explicit and clear regarding the name of those fields that collect personal data. For example:
And avoid the use of inaccurate names.
Parameter type entities should not be meant for personal data.
In case that a process uses personal data in parameter entities, then Bizagi Ltd. strongly recommends you to perform data model changes and start using master entities for this purpose instead.
Further information about parameter entities is available at http://help.bizagi.com/bpm-suite/en/index.html?expert_parameter.htm
Data stored in the WFUser entity
Default fields considered by Bizagi within its WFUser entity are:
•Full name (text)
•User name (text)
•Contact email (text)
•Contact phone (text)
•Contact messenger (text)
•Profile picture (image)
Even though the above fields are shipped-in by default with Bizagi, customers may define and extend to additional fields by means of custom user properties (http://help.bizagi.com/bpm-suite/en/index.html?user_properties.htm).
In addition to the above, consider if such end users are set as Stakeholders. If so, conduct a similar analysis as described above for master entities but while considering Stakeholder type entities whenever these have fields for additional personal data of end users.
Further information about Stakeholder configuration in Bizagi is available at http://help.bizagi.com/bpm-suite/en/index.html?studio_stakeholders.htm.
Although information in these fields are not to be filled during process execution, it is important for you to acknowledge that these should be considered if an end user is making effective his/her GDPR rights and requests you to report back all of his/her stored information.
According to the above, in addition to default fields offered by Bizagi for personal data of end users, you need to consider all other fields and attachments (as user properties, stored in Stakeholder entities or master entities), that you define for your process applications applicable to other subjects involved in these processes (such as a contractor's or vendor's contacts, customers, health care patients, etc).