Comply with the requirements of the European General Data Protection Regulation (GDPR) with the help of ADONIS and ADOIT

Organizations around the world are now faced with a unique challenge related to the processing and use of personal data of European citizens. The European General Data Protection Regulation (GDPR) was adopted by the European Parliament in May 2016 with an implementation period of two years, meaning it enters into force in May 2018. It regulates processing of personal data by private companies and public bodies uniformly throughout the European Union and applies directly to the citizens of all member states.


The GDPR aim is to strengthen the rights of citizens of the European Union (EU) and European Economic Area (EEA) with regard to how organizations use their personal data and how it is protected. It applies to any organization inside or outside the EU that is marketing or selling products or services to citizens of the EU an EEA, and/or that is tracking the online behavior of citizens of the EU and EEA. That means: If you are doing business with Europeans involving the processing of their personal data, GDPR applies to you, regardless of your place of business.

Although some detailed questions have not yet been fully answered by the new regulation, the following major changes to existing legal regulations have already been decided upon:


  • Increased information requirements regarding the use of data
  • Obligation to preserve the right of data disclosure
  • Mandatory appointment of a data protection officer
  • Obligation to send a data breach notification to affected parties
  • and to the authorities in the event of a breach of data security
  • Significantly increased penalty range: up to 4% of the annual global turnover


Because of these and similar changes, companies around the world are required to take measures to ensure compliance with the GDPR until it is entered into force.


For this reason, we have developed an add-on to easily meet and prove compliance to the various aspects of the GDPR using ADONIS or ADOIT.


In this article, we will be looking at the details of the requirements and current implementation proposals with our process management and enterprise architecture management tools.



Contact us today to get more details on how our Add-On-Module for ADONIS and ADOIT works.


Contact us

Basic information on the EU GDPR

From the point of view of electronic data processing, the following aspects of data and their processing are at the forefront of the EU GDPR:


  • Personal data: All information relating to an identified or identifiable natural person.
  • Sensitive data (particularly worthy data): data of natural persons about their racial and ethnic origin, political opinion, etc.
  • Processing: An operation carried out with or without the help of automated procedures or any series of operations related to personal data such as collection, organization, sorting, storage, adaptation or modification, reading, retrieving, use, disclosure by transmission, dissemination or any other form of provision, reconciliation or linking, limitation, deletion or destruction.
  • Profiling: Any type of automated processing of personal data consisting of using these personal data to assess certain personal aspects relating to a natural person, in particular aspects relating to work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location of such natural person.


In the course of the processing of different data types, the following actors are also distinguished:


  • Persons affected: Have an interest in the protection of their personal or sensitive data.
  • Persons responsible: Decide on the type of data processing.
  • Order processors: Process data on the instructions of the persons responsible.


Essential tasks to be addressed to data processing companies include, for example, the following:

  • Creation and maintenance of the list of all processing activities (Article 30 EU GDPR),
  • Implementation of technical and organizational measures (Article 21 EU GDPR),
  • Compliance with the statutory clearance obligation (Art. 17 EU GDPR) and their standardization, and
  • Follow-up assessments (Article 35 EU GDPR).


By means of existing functions and evaluations (such as the basic contextualization of information, measures monitoring or risk evaluations) as well as by a simple method and an intuitive tool, the BOC Group can support you and your company excellently.

Focus: List of processing activities

The main focus of the present work is on the compulsory list of processing activities: The obligation to provide documentation thereby concerns the persons responsible and the order processor. Content of this list is the essential information on data processing activities, in particular information on the purpose of the processing, a description of the categories of the personal data, a description of the persons concerned and the recipients. This directory must include the following details:


  • The name and contact details of the person responsible and, where appropriate, the person in charge, the representative of the person responsible and any data protection officer.
  • The purpose of processing.
  • A description of the categories of persons concerned and the categories of personal data.
  • The categories of recipients against which the personal data have been disclosed or will be disclosed, including recipients in third countries or international organizations.
  • Where appropriate, transfers of personal data to a third country or international organization, including the name of the third country or international organization concerned.
  • If possible, the deadlines for deleting the various categories of data as well as
  • If possible, a general description of the technical and organizational measures.


The following graphic shows a possible set-up, structure and content of a directory for processing activities:

Product extensions in ADONIS and ADOIT

For both our Business Process Management suite ADONIS and our Enterprise Architecture Management tool ADOIT, we have developed product extensions to the EU GDPR. This allows a simple expansion of documentation and evaluation for existing customers, while new prospective customers can also address the requirements of the GDPR.


  • From the point of view of the process-driven GDPR documentation, ADONIS supports you in detailing the processing directory. The starting point is the process map and the process sequences described. From there, the processing activities are described and the relevant data categories are identified.
  • If you are following an IT-driven approach, ADOIT can help you in capturing the processing activities from the point of view of your application map, and in turn assigning the corresponding artefacts to them.


To enable these two approaches, we extend our products with a new artefact, the processing activity. The following figure shows how the artefact is embedded into the meta model of ADOIT. Similarly, the extension is done in ADONIS.

Procedure for collection, preparation and evaluation

The extension of your documentation is supplemented by a suitable and efficiently cut procedure model. Here, the focus is on the corresponding processing activity (e.g. creation of a new customer in the course of an insurance application processing). In the following, the procedure is sketched as an example for the IT-driven approach in ADOIT:


Identify categories of data types


ADOIT and ADONIS can categorize and document the relevant data using business objects/entities.


Identify affected persons


For each business object or entity, the both solutions from BOC can identify the types of affected persons by data categories as well as describe the roles of the people or external actors.


Catalogue/update applications


In the next step, data processing applications are now recorded or updated. In many cases, this stage is done from an existing application landscape.


Identify and document the processing activity


The processing activity is considered to be the pivotal point of all the relevant information. ADONIS or ADOIT record processing activities linked with the business objects/entities. The processing activities should be assigned not only to the affected persons according to roles, but also to the processing applications and processes (on a high-level or detail level).


Identify and assign recipients


ADONIS or ADOIT catalog the relevant data recipients as organizational units or external actors (e.g. cloud providers) and assign the recipients to the processing activities.


Identify and assign risks and controls


After analyzing the master data for the processing activities, the systems can assign the relevant risks to the activities. They can also provide an initial risk assessment with regards to the probability of the happening and the extent of damage when it happens. ADONIS and ADOIT can document necessary controls in an integrated manner as well. The initial assessment and assignment serve as a base for risk assessment. Risk allocation and evaluation must be updated at intervals.

This structured information acquisition allows to generate necessary reports and evaluations. For this purpose, the BOC Group provides specific sample reports and evaluations contained in the extension module. The following figure shows a few examples of reports and evaluations contained in the add-on module for ADOIT for the EU GDPR:




This is our offer to you.

The successful implementation of the requirements of the EU GDPR not only presents you with a comprehensive challenge regarding documentation, but also with regards to provision of proofs and sustainable updating. ADONIS and ADOIT offer you tried and tested mechanisms in order to save considerable effort and avoid the risks of inconsistent management systems. With the add-on modules for ADONIS and ADOIT, trainings and workshops by our experienced consultants as well as extended coaching, you will prepare yourself in time. Sign up today and arrange a non-binding meeting!

Contact us



Enrique Lobo Cruz

P +353-1-871 94 16
F +353-1-871 94 17