Comply with the requirements of the European General Data Protection Regulation (GDPR) with the help of ADONIS and ADOIT

The European General Data Protection Regulation (GDPR) was adopted by the European Parliament in May 2016. The implementation period has been two years, which means that this regulation will enter into force at the end of May 2018. It regulates processing of personal data by private companies and public bodies uniformly throughout the European Union and applies directly in all member states without having to be transposed into national law.

Although some detail questions have not yet been fully resolved, it has been already decided upon the following major changes to existing legal regulations:


  • Increased information requirements regarding the use of data
  • Obligation to preserve the right of data disclosure
  • Mandatory appointment of a data protection officer
  • Obligation to send a data breach notification to affected parties
    and to the authority in the event of a breach of data security
  • Significantly increased penalty range: up to 4% of the annual turnover


Because of these and similar changes, companies are required to take measures to ensure compliance with the GDPR until it is entered into force.


For this reason, we have developed possibilities to easily meet and prove various aspects of the GDPR using ADONIS or ADOIT.


In this article, we will be looking at the details of the requirements and present implementation proposals with our process management and enterprise architecture management tools.

Basic information on the EU GDPR

From the point of view of electronic data processing, the following aspects of data and their processing are at the forefront of the EU GDPR:


  • Personal data: All information relating to an identified or identifiable natural person.
  • Sensitive data (particularly worthy data): data of natural persons about their racial and ethnic origin, political opinion, etc.
  • Processing: An operation carried out with or without the help of automated procedures or any series of operations related to personal data such as collection, organization, sorting, storage, adaptation or modification, reading, retrieving, use, disclosure by transmission, dissemination or any other form of provision, reconciliation or linking, limitation, deletion or destruction.
  • Profiling: Any type of automated processing of personal data consisting of using these personal data to assess certain personal aspects relating to a natural person, in particular aspects relating to work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location of such natural person.


In the course of the processing of different data types, the following actors are also distinguished:


  • Persons affected: Have an interest in the protection of their personal or sensitive data.
  • Persons responsible: Decide on the type of data processing.
  • Order processors: Process data on the instructions of the persons responsible.


Essential tasks to be addressed to data processing companies include, for example, the following:

  • Creation and maintenance of the list of all processing activities (Article 30 EU GDPR),
  • Implementation of technical and organizational measures (Article 21 EU GDPR),
  • Compliance with the statutory clearance obligation (Art. 17 EU GDPR) and their standardization, and
  • Follow-up assessments (Article 35 EU GDPR).


By means of existing functions and evaluations (such as the basic contextualization of information, measures monitoring or risk evaluations) as well as by a simple method and an intuitive tool, the BOC Group can support you and your company excellently.

Focus: List of processing activities

The main focus of the present work is on the compulsory list of processing activities: The obligation to provide documentation thereby concerns the persons responsible and the order processor. Content of this list is the essential information on data processing activities, in particular information on the purpose of the processing, a description of the categories of the personal data, a description of the persons concerned and the recipients. This directory must include the following details:


  • The name and contact details of the person responsible and, where appropriate, the person in charge, the representative of the person responsible and any data protection officer.
  • The purpose of processing.
  • A description of the categories of persons concerned and the categories of personal data.
  • The categories of recipients against which the personal data have been disclosed or will be disclosed, including recipients in third countries or international organizations.
  • Where appropriate, transfers of personal data to a third country or international organization, including the name of the third country or international organization concerned.
  • If possible, the deadlines for deleting the various categories of data as well as
  • If possible, a general description of the technical and organizational measures.


The following graphic shows a possible set-up, structure and content of a directory for processing activities:

Product extensions in ADONIS and ADOIT

For both our Business Process Management suite ADONIS and our Enterprise Architecture Management tool ADOIT, we have developed product extensions to the EU GDPR. This allows a simple expansion of documentation and evaluation for existing customers, while new prospective customers can also address the requirements of the GDPR.


  • From the point of view of the process-driven GDPR documentation, ADONIS supports you in detailing the processing directory. The starting point is the process map and the process sequences described. From there, the processing activities are described and the relevant data categories are identified.
  • If you are following an IT-driven approach, ADOIT can help you in capturing the processing activities from the point of view of your application map, and in turn assigning the corresponding artefacts to them.


To enable these two approaches, we extend our products with a new artefact, the processing activity. The following figure shows how the artefact is embedded into the meta model of ADOIT. Similarly, the extension is done in ADONIS.

Procedure for collection, preparation and evaluation

The extension of your documentation is supplemented by a suitable and efficiently cut procedure model. Here, the focus is on the corresponding processing activity (e.g. creation of a new customer in the course of an insurance application processing). In the following, the procedure is sketched as an example for the IT-driven approach in ADOIT:


Categorize and assign data


By means of business objects or entities, the relevant data is categorized (personal and sensitive data) and documented. The ADOIT and ADONIS repositories can be used to reuse the appropriate predefined schemas.


Catalogue and assign applications


In the next step, data processing applications are now recorded or updated. In many cases, this is done from an existing application landscape.


Assign processes


In a next step, processes are assigned and identified. These usually represent the purpose of the processing.


Identify and assign affected persons and recipients


The relevant data recipients are catalogued as organizational units or external actors (e.g. cloud provider) and affected persons are identified and described in the ADONIS or ADOIT repository.


Identify and assign risks and controls


Lastly, the relevant risks can be entered and assigned. This initial assessment and assignment serves as a basis for risk assessment.

This structured information acquisition allows to generate necessary reports and evaluations. For this purpose, the BOC Group provides specific sample reports and evaluations contained in the extension module. The following figure shows a few examples of reports and evaluations contained in the add-on module for ADOIT for the EU GDPR:




This is our offer to you.

The successful implementation of the requirements of the EU GDPR not only presents you with a comprehensive challenge regarding documentation, but also with regards to provision of proofs and sustainable updating. ADONIS and ADOIT offer you tried and tested mechanisms in order to save considerable effort and avoid the risks of inconsistent management systems. With the add-on modules for ADONIS and ADOIT, trainings and workshops by our experienced consultants as well as extended coaching, you will prepare yourself in time. Sign up today and arrange a non-binding meeting!

Contact us



Enrique Lobo Cruz

P +353-1-871 94 16
F +353-1-871 94 17