Consider the following GDPR tips, regarding how to address collection of personal data:
•GDPR Article 13 enforces "Information to be provided where personal data are collected from the data subject".
•GDPR Article 14 enforces "Information to be provided where personal data have not been obtained from the data subject".
•As summarized in the Introductory concepts of GDPR, the right to "Ask for clarifications about the purpose being given to personal data" is available for individuals.
•As summarized in the Introductory concepts of GDPR, the right to "Ask for clarifications on which personal data is being managed, and where it is stored or accessed from" is available for individuals.
A process is comprised of different actors and systems: end users, which input information via a graphical user interface (either by typing in text or by uploading documents or photos/images), and any number of external applications being integrated through diverse Bizagi features.
According to the above, personal data is often collected through three different channels: By direct end user input in processes, through application integration, and when having an admin manage information of end users.
Consider the following channels.
1. By direct end user input in processes.
A process may collect personal data through the user interfaces presented by in different activities throughout a process; that is, by capturing input from end users directly through the user interfaces' fields.
Note that fields in the user interfaces are completely defined by the customer during process design stages.
End user input is not restricted to typed-in text, but also considers files that are uploading and that contain personal data (e.g. a scanned personal identification document, bank certificates, medical reports and information, a photo of a user, etc).
Information captured this way is not solely about the end users but also about any individual involved in a process (such as a contractor's or vendor's contacts, users/customers, health care patients, etc).
Further information about how process application is designed is available at http://help.bizagi.com/bpm-suite/en/process_wizard.htm.
2. Through application integration.
A process may collect personal data through other applications, whenever processes in Bizagi integrate with them.
Bizagi allows application integration to fulfill B2B scenarios, where customers may define which data can be exchanged with another application.
For instance, having a process look up certain information from an individual in any central system, such as a Credit bureau, a black list, or a CRM, among others.
Further information about application integration possibilities is available at http://help.bizagi.com/bpm-suite/en/integrating.htm.
Bizagi provides application integration features both at a process level and at a data level:
•At process level
This alternative can be achieved by leveraging service-oriented architectures or targeting specific systems under their own protocols, by: invoking external SOAP web services (http://help.bizagi.com/bpm-suite/en/invokingsoa_externalserv.htm), using out-of-box connectors to connect to RESTful services (http://help.bizagi.com/bpm-suite/en/connectors_overview.htm), integrating document repositories of ECMs (http://help.bizagi.com/bpm-suite/en/ecm.htm), or using custom components to include bespoke code (http://help.bizagi.com/bpm-suite/en/component_library.htm).
•At data level
Through data modeling in Bizagi, entities, attributes and relationships are defined by default in a local data model (Bizagi's database).
Though this alternative is about how Bizagi also offers two powerful integration mechanisms that allows a direct connection to existing data sources, so that these are mapped in Bizagi's data model and their data is reused without the cost of having islands of information or entailing an administration overhead to synchronize data.
These two mechanisms are known as Data Replication (for Bizagi to import data as a scheduled task in read-only access mode: http://help.bizagi.com/bpm-suite/en/replication.htm), and Data Virtualization (for a two-way synchronization done on demand: (http://help.bizagi.com/bpm-suite/en/virtualization.htm).
3. When having an admin manage information of end users.
An admin from the customer's side, may at any time manage information about end users and their accounts, including details such as: Email address, First name, Last name, Location (Country, State, City), Phone number, or a photo.
Additionally, other information related to the roles and position of that user within the customer's organization can be managed as well.
Even though the above fields are shipped-in by default with Bizagi, customers may extend what is stored by defining additional fields through user properties (http://help.bizagi.com/bpm-suite/en/index.html?user_properties.htm).
Whenever you as a customer and as the Data Controller, need to clarify how is personal data collected, you would need to consider all the aspects mentioned above.
This way, you can issue a specific response for each of the different types of individuals that are involved in your processes.