diff --git a/src/lib/assets/i18n/eng.json b/src/lib/assets/i18n/eng.json
new file mode 100644
index 0000000..3cffb3e
--- /dev/null
+++ b/src/lib/assets/i18n/eng.json
@@ -0,0 +1,1711 @@
+{
+ "about": {
+ "contribute": "If you wish to contribute to the translation of the software in another language or improve the existing translations, we recommend you to read the page describing the steps to follow.",
+ "description": "This tool is originally designed by the Commission Nationale Informatique et Liberté (CNIL), the French Data Protection Authority, to help data processor to be compliant with the GDPR. It was developed by ATNOS.
This software is free and open. If you wish to get involved in this project, you are welcome to download the source code from Github, modify it and share it with the community.",
+ "licences": "Library licences:",
+ "title": "About the Tool PIA",
+ "translators": "The PIA software is currently available in twenty languages. The French and English versions are provided by the CNIL. The others versions result from the contributions of the following individuals:",
+ "translators_name": "- Bulgarian : Aleksandar Tonev;
- Croatian : B2KapitalBA ;
- Czech : Jiří Grohmann, Manuel d’Orso ;
- Danish : Michael Drews Olsen ;
- Dutch : Ruud van Driel, Manuel d’Orso ;
- English : CNIL ;
- Estonian : Eva Arumets, Lauri Bender, Rebeka Dronia, Kärol Kibena, Simon Suuban, Urmas Kukk, PrivacyAssessment1 ;
- Finnish : Tietosuojavaltuutetun toimisto ;
- French : CNIL ;
- German : Kosmas Schütz , Corina Scheiter (BayLfD) ;
- Greek : Dimitris Tzellis ;
- Hungarian : Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) ;
- Italian : Manuel d’Orso, Gianluca Markos, Antonio Caselli (Garante per la Protezione dei Dai Personali (GPDP)) ;
- Lithuanian : Paulius Galubickas (Law firm Galubickas) ;
- Norwegian : Datatilsynet ;
- Polish : Joanna Karczewska , Michal Mazur (Generalny Inspektor Ochrony Danych Osobowych (GIODO)) ;
- Portuguese : Barbara Gois ;
- Romanian : webmyday ;
- Spanish : ylachgar .
",
+ "version_number": "Version number"
+ },
+ "action_plan": {
+ "acceptable_measures": "Acceptable measures",
+ "edit": "Edit",
+ "improvable_measures": "Improvable measures",
+ "measures": "Planned or existing measures",
+ "no_action_plan": "No action plan recorded.",
+ "placeholder_person_in_charge": "Implementation responsible",
+ "principles": "Fundamental principles",
+ "risk1": "Illegitimate access to data",
+ "risk2": "Unwanted modification of data",
+ "risk3": "Data disappearance",
+ "risks": "Risks",
+ "title": "Overview"
+ },
+ "authentication": {
+ "12_characters": "12 characters",
+ "account_recovery": "Password recovery",
+ "activation_code": "Activation code",
+ "cancel": "Cancel",
+ "confirm": "Confirm",
+ "confirmation": "Confirmation",
+ "continue": "Continue",
+ "activate_account": "activate account",
+ "create_account": "Sign up",
+ "create_account2": "Create account",
+ "description": "This software by the French Data Protection Authority (CNIL) is meant to guide the data controllers in building and demonstrating compliance to the GDPR. It helps to properly carry out a data protection impact assessment by facilitating the use of the PIA method developed by the CNIL.",
+ "email": "Email",
+ "email_placeholder": "Email",
+ "forgotten_password": "Forgotten ?",
+ "login": "Login",
+ "lowercase": "Lowercase",
+ "password": "Password",
+ "password_security": "Password security",
+ "recovery_code": "Reset code",
+ "recovery_code_message": "An email containing a code has been sent to this email. Please enter the code in the field below.",
+ "recovery_code_not_sent": "Unreceived code?",
+ "saved_password": "Your password is saved. You can now sign in.",
+ "sign_in": "Sign in",
+ "sign_in_button": "Sign in",
+ "sign_out_button": "Sign out",
+ "special_character": "Special character (!@#$%^&*()?...)",
+ "number": "Number",
+ "start": "Start",
+ "start_app": "Access the PIA's software (Beta)",
+ "subtitle1": "A platform to create
and manage your PIAs",
+ "subtitle2": "Access tools and glossaries",
+ "title": "Privacy impact assessment",
+ "transaction_error": "Unable to process your request.",
+ "uppercase": "Uppercase",
+ "wrong_activation_code": "(wrong)",
+ "wrong_confirmation": "TO TRANSLATE - Passwords are not the same",
+ "wrong_email": "Wrong email",
+ "sso": "SSO connection",
+ "errors": {
+ "sign_in": {
+ "400": "Wrong email or password."
+ },
+ "create_account": {
+ "uuid": {
+ "404": "Wrong activation code",
+ "406": "This account is already activated"
+ },
+ "password": {
+ "404": "User not found",
+ "406": "The password does not meet the password policy requirements."
+ }
+ },
+ "account_recovery": {
+ "email": {
+ "404": "User not found",
+ "423": "Account locked"
+ },
+ "uuid": {
+ "404": "Wrong recovery code"
+ },
+ "password": {
+ "404": "User not found",
+ "406": "The password does not meet the password policy requirements."
+ }
+ },
+ "unauthorized": "You are not allowed to access this ressource.",
+ "incompatibility": "Version incompatibility between your server (pia-back) and your application (pia). Please contact your IT department."
+ }
+ },
+ "cartography": {
+ "important": "Important",
+ "legend1": "Planned or existing measures",
+ "legend2": "With the corrective measures implemented",
+ "legend3": "(I)llegitimate access to data",
+ "legend4": "(U)nwanted modification of data",
+ "legend5": "(D)ata disappearance",
+ "likelihood_axe": "Risk likelihood",
+ "limited": "Limited",
+ "maximal": "Maximum",
+ "negligible": "Negligible",
+ "risk1_access": "(I)",
+ "risk2_modification": "(U)",
+ "seriousness_axe": "Risk seriousness"
+ },
+ "comments": {
+ "comment": "Comment",
+ "written_by": "Written by",
+ "comments_count": "comment(s)",
+ "new_comment": "Comment",
+ "placeholder_new_comment": "Leave a comment",
+ "send": "Send"
+ },
+ "conflict": {
+ "keep_initial": "Keep initial content",
+ "keep_new": "Update with new content",
+ "initial_content": "Initial content",
+ "merge": "Merge both contents",
+ "new_content": "New content",
+ "title": "Conflict detected"
+ },
+ "date": {
+ "april": "April",
+ "august": "August",
+ "december": "December",
+ "earlier-in-this-month": "Earlier this month",
+ "earlier-in-this-week": "Earlier this week",
+ "february": "February",
+ "january": "January",
+ "july": "July",
+ "june": "June",
+ "march": "March",
+ "may": "May",
+ "november": "November",
+ "october": "October",
+ "september": "September",
+ "today": "Today",
+ "yesterday": "Yesterday"
+ },
+ "errors": {
+ "content": "If you encounter other problems or if you have suggestions for improvement,
you can send them back via this form: https://www.cnil.fr/fr/webform/vos-retours-sur-loutil-pia",
+ "title": "Page not found."
+ },
+ "evaluations": {
+ "acceptable": "Acceptable",
+ "action_plan_comment": "Action plan / corrective actions",
+ "evaluation_comment": "Evaluation comment",
+ "gauges": {
+ "0": "(Undefined)",
+ "1": "Negligible",
+ "2": "Limited",
+ "3": "Important",
+ "4": "Maximum",
+ "likelihood": "Taking into account the action plan, how do you re-evaluate the likelihood of this risk?",
+ "seriousness": "Taking into account the action plan, how do you re-evaluate the seriousness of this risk?"
+ },
+ "improvable": "Improvable",
+ "placeholder_acceptable": "According to the available information, the measures implemented are adequate to properly meet the requirements for protecting the data.",
+ "placeholder_improvable1": "According to the available information, additional measures are to be implemented in order to improve the data protection of the processing.",
+ "placeholder_improvable2": "Enter your comments.",
+ "placeholder_to_correct": "The information provided are not sufficient to properly evaluate them. Send back to the editor to improve the original submission.",
+ "status": [
+ "Pending",
+ "To correct",
+ "Improvable",
+ "Acceptable"
+ ],
+ "title": "Evaluation",
+ "to_correct": "To correct"
+ },
+ "header": {
+ "archives": "PIA Archives",
+ "current_pias": "Current PIAs",
+ "exit_full_screen_mode": "Press F11 to exit full screen mode.",
+ "help": {
+ "issue_reporting": "Report an issue",
+ "manual": "User manual",
+ "pia_example_link": "PIA example",
+ "title": "Help"
+ },
+ "homepage_link": "My PIAs",
+ "knowledge_base_link": "Knowledge base",
+ "languages": {
+ "ar": "العربية",
+ "bg": "Български",
+ "cnil_translations": "CNIL provided translations",
+ "community_translations": "Community provided translations",
+ "cz": "Česky",
+ "de": "Deutsch",
+ "dk": "Dansk",
+ "dpa_translations": "Translation revised by European DPA",
+ "el": "Ελληνικά",
+ "en": "English",
+ "es": "Español",
+ "et": "Eesti keel",
+ "fi": "Suomi",
+ "fr": "Français",
+ "hr": "Hrvatski",
+ "hu": "Magyar",
+ "it": "Italiano",
+ "lt": "Lietuviškai",
+ "lv": "Latviešu valoda",
+ "nl": "Nederlands",
+ "no": "Norsk",
+ "official_translation": "Original version",
+ "pl": "Polski",
+ "pt": "Português",
+ "ro": "Română",
+ "sl": "Slovenščina",
+ "sv": "Svenska"
+ },
+ "logo_subtitle": "",
+ "logo_title": "Privacy impact assessment",
+ "structures": "PIA templates",
+ "tools": {
+ "about": "About",
+ "accessibility": "Visually impaired accessibility (high contrast colors, daltonism)",
+ "onboarding": "Restart tutorial",
+ "settings": "Settings",
+ "url_setting": "Server URL configuration",
+ "users": "Users"
+ }
+ },
+ "help": {
+ "definition": {
+ "data1": {
+ "content": "Content being written",
+ "title": "Use the PIA tool"
+ },
+ "data2": {
+ "qa1": {
+ "content": "When encountering those display issues, close the application and reload it. It usually fixes the issue. You won’t lose the information you have entered ; it is automatically saved as you type.",
+ "title": "I get display issues such as icons being stuck in one state or missing elements from the interface"
+ },
+ "qa2": {
+ "content": "This known issue is currently being fixed. If you encounter this problem, we recommend that you fill in the justification field of the estimated level of severity and / or likelihood. You will be able to edit the gauge once the bug is fixed.",
+ "title": "I can’t edit the gauges for evaluating the severity and likelihood of a risk"
+ },
+ "qa3": {
+ "content": "Several bugs have been observed when importing a PIA, and in particular the level gauges for evaluating the severity and likelihood of a risk may disappear. In this case, please refer to the above mentioned issue. Besides, a PIA may not appear on the dashboard after importing it. This is a display issue and you just need to refresh the page.",
+ "title": "I encounter issues when importing a PIA"
+ },
+ "qa4": {
+ "content": "This is only a display bug and it has no effect on the text you enter in a field. This visual problem will be fixed soon.",
+ "title": "When I copy / paste text, it is highlighted."
+ },
+ "qa5": {
+ "content": "In order to evaluate a section, it is mandatory to fill in all the fields. Please check if this is the case. When editing a risk, you must have at least one technical or organizational measure that mitigates the risk in order to ask for an evaluation of the risk.",
+ "title": "I can’t evaluate a section"
+ },
+ "qa6": {
+ "content": "Please close the PIA you are editing and re-open it. The content should then be displayed in the language you have selected.",
+ "title": "When switching language, the texts are not translated"
+ },
+ "qa7": {
+ "content": "For the moment, the navigation menu icons are not refreshed after refusing a PIA. You have to check each section and change the information and/or evaluation according to the reasons for refusing the PIA. Once all section have been reviewed, you should be able to request PIA validation again.",
+ "title": "I have refused to validate a PIA but I don’t know what to do now"
+ },
+ "title": "Known Issues"
+ },
+ "footer": "If you have any other problems or suggestions for improvement, you can visit our Github resository and submit an issue or a pull request."
+ },
+ "title": "Help"
+ },
+ "homepage": {
+ "cards": {
+ "author": "Editing",
+ "category": "Category",
+ "creation_status": "Creation",
+ "date": "Date",
+ "evaluation": "Review",
+ "guest": "Guest(s)",
+ "import_pia": "Import PIA",
+ "import_structure": "Import template",
+ "item": {
+ "consult_pia": "Consult",
+ "consult_structure": "Consult template",
+ "edit_pia": "Edit",
+ "edit_structure": "Edit template",
+ "tools": {
+ "action_plan": "Display
action plan",
+ "archive": "Archive",
+ "duplicate": "Duplicate",
+ "export": "Export",
+ "more_options": "More options",
+ "pia": "Display
PIA",
+ "remove": "Delete",
+ "unarchive": "Unarchive"
+ },
+ "validate_pia": "Validate"
+ },
+ "knowledges": {
+ "edit": "Edit the base",
+ "import": "Import a base",
+ "new": "Create a base",
+ "placeholder_author": "Author",
+ "placeholder_contributors": "Contributors",
+ "placeholder_entry_number": "Number of entries",
+ "placeholder_name": "Base's name"
+ },
+ "knowledges_entry": {
+ "all_sections": "All sections",
+ "choose_category": "Choose a category",
+ "contents": "Contents",
+ "create": "Create this element",
+ "linked_to": "Linked to",
+ "new": "Create an element",
+ "placeholder_category": "Category",
+ "placeholder_description": "Your description here...",
+ "placeholder_name": "Element's name",
+ "placeholder_updated_at": "Last updated"
+ },
+ "new_pia": "New PIA",
+ "new_structure": "New template",
+ "or": "or",
+ "pia_name": "PIA",
+ "placeholder_author": "Firstname, lastname",
+ "placeholder_category": "Category",
+ "placeholder_evaluation": "Firstname, lastname",
+ "placeholder_import_knowledgeBase": "Import base",
+ "placeholder_import_pia": "Import PIA",
+ "placeholder_import_structure": "Import template",
+ "placeholder_new_knowledgeBase": "New base",
+ "placeholder_new_pia": "New PIA",
+ "placeholder_new_structure": "New template",
+ "placeholder_pia_name": "PIA's title",
+ "placeholder_sector_name": "Associated sector's name",
+ "placeholder_start": "All fields must be filled",
+ "placeholder_structure": "Default template",
+ "placeholder_structure_name": "Template's title",
+ "placeholder_validation": "Firstname, lastname",
+ "sector_name": "Sector",
+ "start": "Start",
+ "status": "Status",
+ "structure": "Template",
+ "structure_name": "Template's name",
+ "title_close_creation": "Close",
+ "validation": "Validation"
+ },
+ "filters": {
+ "assessor": "Reviewer",
+ "author": "Author",
+ "card": "Card view",
+ "card_rocket_content": "Get started !
To initiate a PIA,
click on the +",
+ "card_rocket_content_structure": "Get started ! To initiate
a template, click on the +",
+ "category": "Category",
+ "date": "Date",
+ "import_pia": "Import PIA",
+ "import_structure": "Import template",
+ "list": "List view",
+ "list_rocket_content": "Get started !
To initiate a PIA, click on the +",
+ "list_rocket_content_structure": "Get started ! To initiate
a template, click on the +",
+ "name": "Name",
+ "new_pia": "New PIA",
+ "new_structure": "New template",
+ "sector_name": "Associated sector",
+ "sort": "Sort",
+ "sort_by": "by",
+ "status": "Status",
+ "validator": "Validator"
+ },
+ "lists": {
+ "column_actions": "Actions",
+ "column_author": "Editing",
+ "column_category": "Category",
+ "column_creation": "Created",
+ "column_evaluation": "Review",
+ "column_pia": "PIA",
+ "column_progression": "Progress",
+ "column_sector_name": "Associated sector",
+ "column_status": "Status",
+ "column_structure": "Template",
+ "column_structure_name": "Template",
+ "column_updated_at": "Last opened",
+ "column_validation": "Validation",
+ "item": {
+ "tools": {
+ "action_plan": "Display action plan",
+ "archive": "Archive",
+ "consult": "Consult",
+ "duplicate": "Duplicate",
+ "edit": "Edit",
+ "export": "Export",
+ "pia": "Display PIA",
+ "remove": "Delete",
+ "unarchive": "Unarchive"
+ }
+ }
+ },
+ "search_filter": "Search",
+ "no_entries": {
+ "pia": "No PIA created and/or assigned",
+ "archive": "No PIA archive"
+ }
+ },
+ "knowledge_base": {
+ "add_measure": "Add",
+ "add_measure_hint": "You can also add a measure from the knowledge base.",
+ "category": {
+ "definition": "Definition",
+ "example": "Example",
+ "general_measure": "Physical Security control",
+ "measure_on_data": "Logical security control",
+ "method": "Methodology",
+ "organizational_measure": "Organisational control",
+ "principle": "Principle"
+ },
+ "choose_knowledge_base": "Choose your knowledge base",
+ "default_knowledge_base": "CNIL's knowledge base",
+ "filters": {
+ "all": "All",
+ "definitions": "Definitions",
+ "general_measures": "Physical Security controls",
+ "measures_on_data": "Logical security controls",
+ "no_result": "No result found.",
+ "organizational_measures": "Organisational controls",
+ "title": "Filters"
+ },
+ "placeholder_add_measure": "Add this measure",
+ "placeholder_help": "Entry aids",
+ "search": "Search",
+ "slugs": {
+ "PIA_DEF_ACC": {
+ "description": "The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information described in Art. 15 of [GDPR]",
+ "name": "Right of access",
+ "source": "GDPR Art. 15"
+ },
+ "PIA_DEF_ANO": {
+ "description": "Process removing the identifying characteristics from personal data. To assess the robustness of an anonymisation processes, see the WP29 guidelines.",
+ "name": "Anonymisation",
+ "source": "Mesures_US and G29 guidelines http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf"
+ },
+ "PIA_DEF_ARCH": {
+ "description": "Procedures preserving and managing the electronic archives containing the personal data intended to ensure their value (specifically, their legal value) throughout the entire period necessary (transfer, storage, migration, accessibility, elimination, archiving policy, protection of confidentiality, etc.).",
+ "name": "Archiving",
+ "source": "Mesures_USE Archiving"
+ },
+ "PIA_DEF_AUTH": {
+ "description": "Every person with legitimate access to personal data (employees, contracting parties and other third parties) should be identified by a unique identifier. Choose an authentication method to open sessions that is appropriate to the context, the risk level and the robustness expected. Recommendations: if the risks are not elevated, a password may be used; however, if the risks are higher, use a one-time password token but change the default activation password, or, when part of the password is sent by SMS, a card with a PIN code, an electronic certificate or any other form of strong authentication.",
+ "name": "Authentication",
+ "source": "Mesures_US Logical Access Control"
+ },
+ "PIA_DEF_CHIF": {
+ "description": "Measure making personal data unintelligible to anyone without access authorization (symmetric or asymmetric encryption, use of public algorithms known to be strong, authentication certificate, etc.).",
+ "name": "Encryption",
+ "source": "Mesures_US Encryption"
+ },
+ "PIA_DEF_CLO": {
+ "description": "Data organisation methods that reduce the possibility that personal data can be correlated and that a breach of all personal data may occur. For instance, by identifying the personal data useful only to each business process and logically separating them.",
+ "name": "Data partitioning",
+ "source": "PIA3 p19 - WIKI"
+ },
+ "PIA_DEF_CONS": {
+ "description": "Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
See Art. 4.10 of [GDPR]",
+ "name": "Consent",
+ "source": "GDPR Art. 4.10"
+ },
+ "PIA_DEF_CTLA": {
+ "description": "Means implemented to limit the risks that unauthorized persons will access personal data electronically, it requires among other things to :
- manage users' profiles by separating tasks and areas of responsibility (preferably in centralised fashion) to limit access to personal data exclusively to authorised users by applying need-to-know and least-privilege principles;
- withdraw the rights of employees, contracting parties and other third parties when they are no longer authorised to access a premises or a resource or when their employment contract ends.",
+ "name": "Logical access controls",
+ "source": "PIA3 p43 - WIKI"
+ },
+ "PIA_DEF_DCP": {
+ "description": "Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
See Art. 4.1 of [GDPR]",
+ "name": "Personal data",
+ "source": "GDPR Art 4.1"
+ },
+ "PIA_DEF_DEST": {
+ "description": "Natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
See Art. 4.9 of [GDPR]",
+ "name": "Recipient",
+ "source": "GDPR Art. 4.9"
+ },
+ "PIA_DEF_EFF": {
+ "description": " The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay, see Art. 17 of [GDPR]",
+ "name": "Right to erasure",
+ "source": "GDPR Art. 17"
+ },
+ "PIA_DEF_ENJ": {
+ "description": "Expected benefits (for the organisation, for the data subjects, for society in general, etc.).",
+ "name": "Stakes",
+ "source": "PIA1 p4 footnote 8"
+ },
+ "PIA_DEF_EXA": {
+ "description": "Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
See Art. 5.1 d) of [GDPR]",
+ "name": "Quality of data",
+ "source": "GDPR Art. 5.1 d)"
+ },
+ "PIA_DEF_GRV": {
+ "description": "Severity represents the magnitude of a risk. It primarily depends on the prejudicial nature of the potential impacts.",
+ "name": "Severity",
+ "source": "PIA1 page 6"
+ },
+ "PIA_DEF_LIM": {
+ "description": "The data subject shall have the right to obtain from the controller restriction of processing, see Art. 18 of [GDPR]",
+ "name": "Right to restricting of processing",
+ "source": "GDPR Art. 18"
+ },
+ "PIA_DEF_LOG": {
+ "description": "Set up a logging architecture to allow early detection of incidents involving personal data and to have information that can be used to analyze them or provide proof in connection with investigations.",
+ "name": "Surveillance",
+ "source": "Mesures_US Surveillance"
+ },
+ "PIA_DEF_MEN": {
+ "description": "Procedure comprising one or more individual actions on data supporting assets. It is used, intentionally or otherwise, by risk sources and may cause a feared event.",
+ "name": "Threat",
+ "source": "PIA1 p12 - WIKI"
+ },
+ "PIA_DEF_MENA": {
+ "description": "Threats regarding: - Hardware, used inappropriately, observed, altered, lost (use or transportation of sensitive hardware for personal purposes, watching a person's screen without their knowledge while on the train, tracking by a hardware-based key logger, etc.)
- Software, used inappropriately, observed, altered (raising of privileges, collection of configuration data, infection by malicious code, etc.)
- Computer channels observed (Interception of Ethernet traffic, etc.)
- People, observed, manipulated, lost (Unintentional disclosure of information, social engineering, assignment changes)
- Paper documents observed, lost (reading, theft of mail, etc.)
- Paper transmission channels observed (reading of signature books in circulation, etc.)",
+ "name": "Threats that can lead to an illegitimate access",
+ "source": "PIAF Connected objects p44 and 45"
+ },
+ "PIA_DEF_MENI": {
+ "description": "Threats regarding :
- Hardware : used inappropriately, overloaded, altered, damaged, lost (storage unit full, processing capacity overload, addition of incompatible hardware resulting in malfunctions, fire, theft or loss of an asset, etc.)
- Software : used inappropriately, overloaded, altered, damaged, lost (erasure of data, exceeding of database size, logic bomb, non-renewal of the licence for software used to access data, etc.)
- Computer channels : overloaded, altered, lost (unauthorised downloading, loss of Internet connection, etc.)
- People : overloaded, damaged, lost (poor use of skills, disease, retirement, etc.)
- Paper documents : used inappropriately, damaged, lost (erasure, aging of archived documents, theft or loss of documents, etc.)
- Paper transmission channels : overloaded, damaged, altered, lost (mail delivery halted by a strike, reassignment of offices or premises, loss of a document delivery company, reorganisation of paper transmission channels, etc.)",
+ "name": "Threats that can lead to a disappearance of personal data",
+ "source": "PIAF Connected Objects p44 and 45, WIKI"
+ },
+ "PIA_DEF_MENM": {
+ "description": "Threats regarding :
- Hardware altered (addition of incompatible hardware resulting in malfunctions, removal of essential components, etc.)
- Software used inappropriately or altered (Unwanted modifications to data in databases, operator errors that modify data, etc.)
- Computer channels used inappropriately (resending of intercepted data, etc.)
- People overloaded or manipulates (assignment of staff to tasks beyond their abilities, stress or negative changes in working conditions, influence, etc.)
- Paper documents that have been altered (changes to figures in a file, replacement of an original by a forgery, etc.)
- Paper transmission channels that have been altered (change from one signature book to another, sending of multiple conflicting documents, etc.)",
+ "name": "Threats that can lead to an unwanted modification of personal data",
+ "source": "PIAF Connected Objects p43 and 44, WIKI"
+ },
+ "PIA_DEF_MES": {
+ "description": "To be chosen among those available in section \"Planned or existing measures\", which you may complete if needed.",
+ "name": "Measures",
+ "source": "None"
+ },
+ "PIA_DEF_MIN1": {
+ "description": "When data are being imported, different types of metadata (such as EXIF data with an image file attached) can unintentionally be collected.
Such metadata must be identified and eliminated if they are unnecessary for the purposes specified.",
+ "name": "Filtering and removal",
+ "source": "PIAF Connected objects p42 - WIKI"
+ },
+ "PIA_DEF_MIN2": {
+ "description": "Once sensitive data have been received, as part of a series of general information or transmitted for statistical purposes only, these can be converted into a less sensitive form or pseudonymised. For example :
- if the system collects the IP address to determine the user's location for a statistical purpose, the IP address can be deleted once the city or district has been deduced
- if the system receives video data from surveillance cameras, it can recognise people who are standing or moving in the scene and blur them
- if the system is a smart meter, it can aggregate the use of energy over a certain period, without recording it in real time",
+ "name": "Reducing sensitivity via conversion",
+ "source": "PIAF Connected objects p42 - WIKI"
+ },
+ "PIA_DEF_MIN3": {
+ "description": "The system can ensure that:
- the user can use a resource or service without the risk of disclosing his/her identity (anonymous data)
- the user can use a resource or service without the risk of disclosing his/her identity, but remain identifiable and responsible for this use (pseudonymous data)
- the user can make multiple uses of resources or services without the risk of these different uses being linked together (data cannot be correlated)
- the user can use a resource or service without the risk of others, third parties in particular, being able to observe that the resource or service is being used (non-observability)
The choice of a method from the list above must be made on the basis of the threats identified. For some types of threat to privacy, pseudonymization will be more appropriate than anonymisation (for example, if there is a traceability need). In addition, some threats to privacy will be addressed using a combination of methods.",
+ "name": "Reducing the identifying nature of data",
+ "source": "PIAF Connected objects p42 - WIKI"
+ },
+ "PIA_DEF_MIN4": {
+ "description": "The system can be organised into independent parts with separate access control functions. The data can also be divided between these independent sub-systems and controlled by each sub-system using different access control mechanisms. If a sub-system is compromised, the impacts on all of the data can thus be reduced.",
+ "name": "Reducing data accumulation",
+ "source": "PIAF Connected objects p42 - WIKI"
+ },
+ "PIA_DEF_MIN5": {
+ "description": "The system can limit data access according to the \"need to know\" principle. The system can separate the sensitive data and apply specific access control policies. The system can also encrypt sensitive data to protect their confidentiality during transmission and storage. Access to temporary cookies which are produced during the data processing must also be protected.",
+ "name": "Restricting data access",
+ "source": "PIAF Connected objects p42 - WIKI"
+ },
+ "PIA_DEF_MINC": {
+ "description": "Reduce the severity of risks by limiting the amount of personal data to what is strictly necessary to achieve a defined purpose, otherwise the data shall be not collected.",
+ "name": "Minimising the amount of personal data",
+ "source": "WIKI Minimisation_des_données_:_adéquates,_pertinentes_et_limitées"
+ },
+ "PIA_DEF_MIND": {
+ "description": "Reduce the severity of risks by minimizing the data themselves, by taking measures aimed at reducing their sensitivity such as filtering and removing unnecessary data, pseudonymising data, etc.",
+ "name": "Minimization of data themselves",
+ "source": "PIA3 p64"
+ },
+ "PIA_DEF_OPP": {
+ "description": "The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, pursuant to Art. 21 of [GDPR]",
+ "name": "Right to object",
+ "source": "GDPR Art. 21"
+ },
+ "PIA_DEF_PBDS": {
+ "description": "Measures taken to integrate the protection of personal data in all new processing operations (trusted names, guidelines, CNIL methodology for risk management or other internal methodology).",
+ "name": "Project Management",
+ "source": "Mesures_US"
+ },
+ "PIA_DEF_PC": {
+ "description": "Persons to whom the data covered by the processing relate.",
+ "name": "Data subject",
+ "source": "PIA1 p9"
+ },
+ "PIA_DEF_PORT": {
+ "description": " The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, see Art. 20 of [GDPR]",
+ "name": "Right to data portability",
+ "source": "GDPR Art. 20"
+ },
+ "PIA_DEF_PSEU": {
+ "description": "Processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Pseudonymisation reduces the linkability of a dataset with the original identity of a data subject; as such, it is a useful security measure but not a method of anonymisation.",
+ "name": "Pseudonymisation",
+ "source": "GDPR Art. 4.5 and guidelines G29 p22 http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf"
+ },
+ "PIA_DEF_PWD": {
+ "description": "Passwords shall be composed of a minimum of eight characters; must be renewed if there is the least concern that they may have been compromised and, possibly, periodically (every six months or once a year) and must include a minimum of three of the four kinds of characters (capital letters, lower case letters, numerals and special characters); when a password is changed, the last five passwords may not be reused; the same password should not be used for different accesses; passwords should not be related to one's personal information (including name or date of birth.). Define a maximum number of attempts beyond which a warning is issued and authentication is blocked (temporarily or until it is manually unblocked).",
+ "name": "Password",
+ "source": "Mesure_US"
+ },
+ "PIA_DEF_RECT": {
+ "description": "The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.",
+ "name": "Right to rectification",
+ "source": "GDPR Art. 16"
+ },
+ "PIA_DEF_RGPD": {
+ "description": "Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.",
+ "name": "GDPR (General Data Protection Regulation",
+ "source": "GDPR title"
+ },
+ "PIA_DEF_RT": {
+ "description": "Natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
See Art. 4.7 of [GDPR]",
+ "name": "Controller",
+ "source": "GDPR Art. 4.7"
+ },
+ "PIA_DEF_SRC": {
+ "description": "Person or non-human source that can cause a risk. This source may act accidentally or deliberately.",
+ "name": "Risk source",
+ "source": "PIA1 p11 - WIKI"
+ },
+ "PIA_DEF_ST": {
+ "description": "Natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, see Art. 4.8 of [GDPR].
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law, see Art. 29 of [GDPR].",
+ "name": "Processor",
+ "source": "GDPR Art. 4.8 and 29"
+ },
+ "PIA_DEF_SUPT": {
+ "description": "Asset on which personal data rely. This may be hardware, software, networks, people, paper or paper transmission channels",
+ "name": "Supporting assets",
+ "source": "PIA1 p10"
+ },
+ "PIA_DEF_VIOL": {
+ "description": "Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.",
+ "name": "Personal data breach",
+ "source": "GDPR Art. 4.12"
+ },
+ "PIA_DEF_VRA": {
+ "description": "Likelihood expresses the possibility of a risk occurring. It primarily depends on the level of vulnerabilities of the supporting assets when under threat and the level of capabilities of the risk sources to exploit them.",
+ "name": "Likelihood",
+ "source": "PIA1 page 6"
+ },
+ "PIA_EX_DC": {
+ "description": "Data for a score system, result of the application of the score....",
+ "name": "Calculated data"
+ },
+ "PIA_EX_DCPC": {
+ "description": "Identification data : Civil status, identity, age, etc.
Personal life : living habits, marital status, etc.
Professional life : résumé, education and professional training, awards, etc.
Connection data : IP addresses, event logs, etc.
Location data : travels, GPS data, GSM data, etc.
Others : phone number, email address, etc.",
+ "name": "Common personal data",
+ "source": "PIA2 old version - WIKI"
+ },
+ "PIA_EX_DCPR": {
+ "description": "Philosophical, political, religious and trade-union views, sex life, health data, racial or ethnic origin, data concerning health or sex life, offenses, convictions, security measures, see Art. 9 and 10 of [GDPR].",
+ "name": "Convictions and sensitive personal data"
+ },
+ "PIA_EX_DCPS": {
+ "description": "Social security number (NIR), biometric data, bank data",
+ "name": "Personal data perceived as sensitive"
+ },
+ "PIA_EX_HUME": {
+ "description": "It could be either:
- a rogue or naive neighbor, by having a physical proximity, hacking into the device's data;
- a hacker targeting a user by using the knowledge he/she has of the user and some of the information concerning him/her;
- a hacker targeting one of the companies by using the knowledge he/she has of the companies that can undermine their image;
- an authorised third party company using its privileged access to illegitimately access information.",
+ "name": "External human sources"
+ },
+ "PIA_EX_HUMI": {
+ "description": "It could be either:
- a negligent or rogue employee, proximity of the system, skills, privileges and available time are potentially high, possible lack of training and awareness
- negligent or rogue user, family member or friend having access to the service.
Various motives are possible, including : clumsiness, error, negligence game, malicious intent, revenge, spying",
+ "name": "Internal human sources"
+ },
+ "PIA_EX_IMPI": {
+ "description": "Data subjects may encounter significant consequences, which they should be able to overcome albeit with real and serious difficulties. For example:
- physical : serious physical ailments causing long-term harm (worsening of health due to improper care, or disregard of contraindications), lteration of physical integrity for example following an assault, an accident at home, work, etc.
- material : misappropriation of money not compensated, targeted, unique and non-recurring, lost opportunities (home loan, refusal of studies, internships or employment, examination ban), loss of housing, loss of employment, etc.;
- moral : serious psychological ailments (depression, development of a phobia), feeling of invasion of privacy with irreversible damage, victim of blackmailing, cyberbullying and harassment, etc.",
+ "name": "Significant impact"
+ },
+ "PIA_EX_IMPL": {
+ "description": "Data subjects may encounter significant inconveniences, which they will be able to overcome despite a few difficulties. For example:
- physical : minor physical ailments (minor illness due to disregard of contraindications), defamation resulting in physical or psychological retaliation, etc.;
- material : unanticipated payments (fines imposed erroneously), denial of access to administrative or commercial services, receipt of unsolicited targeted mailings likely to damage the reputation of data subjects, etc.;
- moral : minor but objective psychological ailments, feeling of invasion of privacy without irreversible damage, intimidation on social networks, etc.",
+ "name": "Limited impact"
+ },
+ "PIA_EX_IMPM": {
+ "description": "Data subjects may encounter significant, or even irreversible, consequences, which they may not overcome. For example:
- physical : long-term or permanent physical ailments, permanent impairment of physical integrity, death;
- material : financial risk, substantial debts, inability to work, inability to relocate, loss of evidence in the context of litigation, loss of access to vital infrastructure (water, electricity), etc.
- moral : long-term or permanent psychological ailments, criminal penalty, abduction, loss of family ties, inability to sue, change of administrative status and/or loss of legal autonomy (guardianship), etc.",
+ "name": "Maximum impact"
+ },
+ "PIA_EX_IMPN": {
+ "description": "Data subjects either will not be affected or may encounter a few inconveniences, which they will overcome without any problem. For example:
- physical : transient headaches;
- material : loss of time in repeating formalities or waiting for them to be fulfilled, receipt of unsolicited mail (e.g.: spams), reuse of data published on websites for the purpose of targeted advertising , etc.;
- moral : mere annoyance, feeling of invasion of privacy without real or objective harm (commercial intrusion), etc.",
+ "name": "Negligible impact"
+ },
+ "PIA_EX_NHUM": {
+ "description": "Incident or damage at one of the organisation (power cut, fire, flood, etc.)",
+ "name": "Non-human sources"
+ },
+ "PIA_EX_VRAI": {
+ "description": "It seems possible for the selected risk sources to materialize the threat by exploiting the properties of supporting assets (e.g.: theft of paper documents stored in offices that cannot be accessed without first checking in at the reception).",
+ "name": "Significant likelihood"
+ },
+ "PIA_EX_VRAL": {
+ "description": "It seems difficult for the selected risk sources to materialize the threat by exploiting the properties of supporting assets (e.g.: theft of paper documents stored in a room protected by a badge reader).",
+ "name": "Limited likelihood"
+ },
+ "PIA_EX_VRAM": {
+ "description": "It seems extremely easy for the selected risk sources to materialize the threat by exploiting the properties of supporting assets (e.g.: theft of paper documents stored in the public lobby).",
+ "name": "Maximum likelihood"
+ },
+ "PIA_EX_VRAN": {
+ "description": "It does not seem possible for the selected risk sources to materialize the threat by exploiting the properties of supporting assets (e.g.: theft of paper documents stored in a room protected by a badge reader and access code).",
+ "name": "Negligible likelihood"
+ },
+ "PIA_LGL_CONS": {
+ "description": "Allow data subjects to make a free, specific and informed choice. Determine whether the processing relies on a legal basis other than consent pursuant to Art. 6 of the [GDPR]",
+ "name": "Consent",
+ "source": "PIA3 p11 - WIKI"
+ },
+ "PIA_LGL_DATA": {
+ "description": "Define and describe the scope in detail:
- the personal data concerned, their recipients and storage durations
- description of the processes and personal data supporting assets for the entire personal data life cycle (from collection to erasure).",
+ "name": "Data and processes",
+ "source": "PIA1 p6"
+ },
+ "PIA_LGL_DESC": {
+ "description": "Present a brief outline of the processing under consideration, its nature, scope, context, purposes and stakes. Identify the data controller and any processors. List the standard references applicable to the processing, which are necessary or must be complied with , not least the approved codes of conduct (see Art. 40 of the [GDPR]) and certifications regarding data protection (see Art. 42 of the [GDPR])",
+ "name": "Processing's description",
+ "source": "PIA1 p4"
+ },
+ "PIA_LGL_DEST": {
+ "description": "Natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. see Art. 4.9 of the [GDPR]",
+ "name": "Recipient",
+ "source": "GDPR art 4.9"
+ },
+ "PIA_LGL_DUR": {
+ "description": "A storage duration must be defined for each type of data and justified by the legal requirements and/or processing needs. Thus a distinction is made between common data and archived data, to which access will be limited to only the stakeholders concerned. An erasure mechanism must be implemented to archive common data or purge archived data at the end of their storage duration. Functional traces will also have to be purged, as will technical logs which may not be stored indefinitely",
+ "name": "Storage Durations",
+ "source": "PIAF Connected Objects p12"
+ },
+ "PIA_LGL_FIN": {
+ "description": "Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
See Art. 5.1 b) of [GDPR]",
+ "name": "Principles relating to processing of personal data",
+ "source": "GDPR art 5.1 b)"
+ },
+ "PIA_LGL_FOND": {
+ "description": "- The data subject has given consent to the processing of his or her personal data for one or more specific purposes
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
-Processing is necessary for compliance with a legal obligation to which the controller is subject
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
See art. 6 of [GDPR] ",
+ "name": "Justification of lawfulness",
+ "source": "PIA2 p4"
+ },
+ "PIA_LGL_INFO": {
+ "description": "Ensure that the subjects are informed. Confirm that the processing is not covered by an exception and is not subject to specific conditions.",
+ "name": "Informing data subjects",
+ "source": "PIA3 p8 - WIKI"
+ },
+ "PIA_LGL_MINI": {
+ "description": "It is important to reduce the severity of the risks by minimising the number of personal data that will be processed, by limiting such data to what is strictly necessary for the purposes for which they are processed (otherwise they should not be collected). Then, it also becomes possible to minimise the data themselves, via controls aimed at reducing their sensitivity.",
+ "name": "Data minimisation",
+ "source": "PIAF Connected Objects p10 - WIKI"
+ },
+ "PIA_LGL_ST": {
+ "description": "A processing contract must be signed with each processor, setting out all of the aspects stipulated in Art. 28 of the [GDPR]: duration, scope, purpose, documented processing instructions, prior authorisation where a processor is engaged, provision of any documentation providing evidence of compliance with the [GDPR], prompt notification of any data breach, etc.",
+ "name": "Subcontracting",
+ "source": "PIA2 p10"
+ },
+ "PIA_LGL_SUPT": {
+ "description": "Asset on which personal data rely. Note: this may be hardware, software, networks, people, paper or paper transmission channels.",
+ "name": "Supporting asset",
+ "source": "PIA1 p10"
+ },
+ "PIA_LGL_TRAN": {
+ "description": "Depending on the country in question, you will have to justify the choice of remote hosting and indicate the legal supervision arrangements implemented in order to ensure adequate protection of the data subject to a cross-border transfer. That is :
- European Union
- Country recognised as providing adequate protection by the EU
- Transfer to the United States to a company which has joined the Privacy Shield
- Other country
See art. 44 to 49 of [GDPR]",
+ "name": "Transfers",
+ "source": "PIAF Connected Objects p18"
+ },
+ "PIA_METHOD_MES": {
+ "description": "Planned controls are those originally put in place, before any analysis by the assessor. Corrective measures advised by the assessor will be stated in the action plan and will enable a second assessment of the severity and likelihood of the risk.",
+ "name": "Planned and corrective controls",
+ "source": ""
+ },
+ "PIA_ORG_AUD": {
+ "description": "Existence of a policy and processes to obtain an organisation able to manage and control the protection of personal data held within it.",
+ "name": "Supervision",
+ "placeholder": "Indicate here whether the effectiveness and adequacy of privacy controls are monitored.",
+ "source": "PIA3 p76 - WIKI"
+ },
+ "PIA_ORG_EXT": {
+ "description": "Existence of a policy and processes reducing the risk that legitimate access to personal data by third parties may pose to the data subjects' civil liberties and privacy.",
+ "name": "Relations with third parties",
+ "placeholder": "Indicate here, for processors requiring access to data, the security controls and arrangements carried out as regards such access.",
+ "source": "PIA3 p48 - WIKI"
+ },
+ "PIA_ORG_ORG": {
+ "description": "Specify whether a person is responsible for the enforcement of privacy laws and regulations. Specify whether there is a monitoring committee (or equivalent) responsible for the guidance and follow-up of actions concerning the protection of privacy.",
+ "name": "Organisation",
+ "placeholder": "Indicate if the roles and responsibilities for data protection are defined.",
+ "source": "PIAF Connected Objects p24 - WIKI"
+ },
+ "PIA_ORG_PBD": {
+ "description": "Existence of a policy designed integrate the protection of personal data in all new processing operations.",
+ "name": "Integrating privacy protection in projects",
+ "placeholder": "Describe here how privacy protection is integrated in projects",
+ "source": "PIA3 p79 - WIKI"
+ },
+ "PIA_ORG_PERS": {
+ "description": "Existence of a policy describing awareness-raising controls are carried out with regard to a new recruit and what controls are carried out when persons who have been accessing data leave their job.",
+ "name": "Personnel management",
+ "placeholder": "Indicate here what awareness-raising controls are carried out with regard to employees.",
+ "source": "PIAF Connected Objects p24"
+ },
+ "PIA_ORG_POL": {
+ "description": "Set out important aspects relating to data protection within a documentary base making up the data protection policy and in a form suited to each type of content (risks, key principles to be followed, target objectives, rules to be applied, etc.) and each communication target (users, IT department, policymakers, etc.).",
+ "name": "Policy",
+ "placeholder": "Describe here the documentary base setting out data protection objectives and rules.",
+ "source": "PIA3 p78 - WIKI"
+ },
+ "PIA_ORG_RMGT": {
+ "description": "Policy describing processes to control the risks that processing operations performed by the organisation pose on data protection and the privacy of data subjects (building a map of the risks, etc.).",
+ "name": "Managing privacy risks",
+ "placeholder": "Describe here processes to control the risks that processing operations performed by the organisation pose on data protection and the privacy of data subjects.",
+ "source": "PIA3 p77 - WIKI"
+ },
+ "PIA_ORG_VIOL": {
+ "description": "Existence of an operational organisation that can detect and treat incidents that may affect the data subjects' civil liberties and privacy.",
+ "name": " Managing personal data violations",
+ "placeholder": "Indicate here whether IT incidents are subject to a documented and tested management procedure.",
+ "source": "PIAF Connected Objects p24 and PIA3 p36 - WIKI"
+ },
+ "PIA_SEC_BKP": {
+ "description": "Policies and means implemented to ensure the availability and/or integrity of the personal data, while maintaining their confidentiality.",
+ "name": "Backups",
+ "placeholder": "Indicate here how backups are managed. Clarify whether they are stored in a safe place.",
+ "source": "PIAF Connected Objects p23 & PIA3 p27 - WIKI"
+ },
+ "PIA_SEC_COMP": {
+ "description": "Controls implemented on workstations (automatic locking, regular updates, configuration, physical security, etc.) to reduce the possibility to exploit software properties (operating systems, business applications etc.) to adversely affect personal data.",
+ "name": "Managing workstations",
+ "placeholder": "Describe here the controls implemented on workstations",
+ "source": "PIAF Connected Objects p22 - WIKI"
+ },
+ "PIA_SEC_CTR": {
+ "description": "Only use subcontractors which are able to provide sufficient guarantees (in particular in terms of specialised knowledge, reliability and resources). Require service providers to communicate their information system security policy before signing a contract with them.
Take and document the means (security audits, installation visits, etc.) used to ensure the effectiveness of the guarantees offered by the subcontractor in terms of data protection. These guarantees include:
- encryption of data according to its sensitivity or, at least, the existence of procedures guaranteeing that the service company does not have access to the data;
- encryption of data transmissions (e.g.: HTTPS type connection, VPN, etc.);
- guarantees in terms of network protection, traceability (logs, audits), access rights management, authentication, etc.
Sign a contract with the subcontractors, which defines the subject, the length and the purpose of the processing, as well as obligations of each party. Ensure that it contains, in particular, provisions targeting:
- their obligation in terms of confidentiality of the entrusted personal data;
- minimal standards in terms of user authentication;
- conditions of restitution of data and/or its destruction at end of the contract;
- incident management and notification rules. They should include notification of the data controller whenever a security breach or a security incident is discovered, which should happen as soon as possible when it concerns personal data.",
+ "name": "Processing contracts",
+ "placeholder": "Describe here specific measures for processors (host, maintenance company, administrator, specialist service providers, etc.)",
+ "source": "Mesures_US Procurement: identified and governed by a contract"
+ },
+ "PIA_SEC_EXP": {
+ "description": "Policies implemented to reduce the possibility and the impact of risks on assets supporting personal data.",
+ "name": "Operating security",
+ "placeholder": "Describe here how the software updates (operating systems, applications, etc.) and application of security corrective controls patches are carried out.",
+ "source": "PIAF Connected Objects p22 - WIKI"
+ },
+ "PIA_SEC_LOG": {
+ "description": "Monitor intrusion detection systems and intrusion prevention systems in order to analyze network (wired networks, Wi-Fi, radio waves, fiber optics, etc.) traffic in real time and detect any suspicious activity suggestive of a cyber attack scenario.",
+ "name": "Monitoring network activity",
+ "placeholder": "Indicate here means and controls implemented to detect incidents involving personal data",
+ "source": "PIA3 p67 - WIKI"
+ },
+ "PIA_SEC_MAIN": {
+ "description": "Policies describing how physical maintenance of hardware is managed, stating whether this is contracted out.
Indicate whether the remote maintenance of apps is authorized, and according to what arrangements. Specify whether defective equipment is managed in a specific manner.",
+ "name": "Maintenance",
+ "placeholder": "Describe here how physical maintenance of hardware is managed",
+ "source": "PIAF Connected Objects p23"
+ },
+ "PIA_SEC_MAL": {
+ "description": "Controls implemented on workstations and servers to protect them from malicious software while accessing less secure networks.",
+ "name": "Clamping down on malicious software",
+ "placeholder": "Describe here the controls implemented to reduce risks while accessing less secure networks.",
+ "source": "PIAF Connected Objects p22 - WIKI"
+ },
+ "PIA_SEC_MAT": {
+ "description": "Indicate here the controls bearing on the physical security of servers and workstations (secure storage, security cables, confidentiality filters, secure erasure prior to scrapping, etc.).",
+ "name": "Hardware security",
+ "placeholder": "Indicate here the controls bearing on the physical security of servers and workstations",
+ "source": "PIAF Connected Objects p23 - WIKI"
+ },
+ "PIA_SEC_NET": {
+ "description": "Depending on the type of network on which the processing is carried out (isolated, private or Internet). Specify which firewall system, intrusion detection systems or other active or passive devices are in charge of ensuring network security.",
+ "name": "Network security",
+ "placeholder": "Indicate here the security controls of network on which the processing is carried out",
+ "source": "PIAF Connected Objects p23"
+ },
+ "PIA_SEC_PHY": {
+ "description": "Policies to ensure physical security (zoning, escorting of visitors, wearing of passes, locked doors and so on).Indicate whether there are warning procedures in place in the event of a break-in.",
+ "name": "Physical access control",
+ "placeholder": "Indicate here how physical access control is carried out regarding the premises accommodating the processing.",
+ "source": "PIAF Connected Objects p23"
+ },
+ "PIA_SEC_PROT": {
+ "description": "Policies describing the means of fire prevention, detection and fighting. Where applicable, indicate the means of preventing water damage. Also specify the means of power supply monitoring and relief.",
+ "name": "Protecting against non-human sources of risks",
+ "placeholder": "Indicate here means to avoid to limit non-human sources of risks.",
+ "source": "PIAF Connected Objects p23 - WIKI"
+ },
+ "PIA_SEC_SRC": {
+ "description": "Documentation on implantation area, which should not be subject to environmental disasters (flood zone, proximity to chemical industries, earthquake or volcanic zone, etc.).Specify if dangerous products are stored in the same area.",
+ "name": "Avoiding sources of risk",
+ "placeholder": "Indicate here whether the implantation area is subject to environmental disasters",
+ "source": "PIAF Connected Objects p23 - WIKI"
+ },
+ "PIA_SEC_WEB": {
+ "description": "Implementation of ANSSI's Recommendations for securing websites.",
+ "name": "Website security",
+ "placeholder": "Indicate here controls implemented to protect websites.",
+ "source": "PIAF Connected Objects p22 - WIKI"
+ },
+ "PIA_TEC_ANO": {
+ "description": "Indicate here whether anonymisation mechanisms are implemented, which ones and for what purpose.
Remember to clearly distinguish between anonymous and pseudonymous data.",
+ "name": "Anonymisation",
+ "placeholder": "Indicate here implemented anonymisation mechanisms",
+ "source": "PIAF Connected Objects p21"
+ },
+ "PIA_TEC_ARCH": {
+ "description": "Where applicable, describe here the processes of archive management (delivery, storage, consultation, etc.) under your responsibility. Specify the archiving roles (offices of origin, transferring agencies, etc.) and the archiving policy. State if data may fall within the scope of public archives.",
+ "name": "Archiving",
+ "placeholder": "Indicate here whether mechanisms are implemented for integrity monitoring of stored data, which ones and for what purpose.",
+ "source": "PIAF Connected Objects p22 - WIKI"
+ },
+ "PIA_TEC_CHIF": {
+ "description": "Means implemented for ensuring the confidentiality of data stored (in the database, in flat files, backups, etc.), as well as the procedure for managing encryption keys (creation, storage, change in the event of suspected cases of data compromise, etc.).
Describe the encryption means employed for data flows (VPN, TLS, etc.) implemented in the processing.",
+ "name": "Encryption",
+ "placeholder": "Describe here the means implemented for ensuring the confidentiality of data",
+ "source": "PIAF Connected Objects p21"
+ },
+ "PIA_TEC_CLO": {
+ "description": "Implementation of data partitioning helps to reduce the possibility that personal data can be correlated and that a breach of all personal data may occur.",
+ "name": "Partitioning data",
+ "placeholder": "Indicate here if processing partitioning is planned, and how this is carried out.",
+ "source": "PIAF Connected Objects p21"
+ },
+ "PIA_TEC_CTLA": {
+ "description": "Methods to define and attribute users profiles. Specify the authentication means implemented . Where applicable, specify the rules applicable to passwords (minimum length, required characters, validity duration, number of failed attempts before access to account is locked, etc.).",
+ "name": "Logical access control",
+ "placeholder": "Indicate here how users profiles are defined and attributed.",
+ "source": "PIAF Connected Objects p21"
+ },
+ "PIA_TEC_LOG": {
+ "description": "Policies that define traceability and log management.",
+ "name": "Traceability (logging)",
+ "placeholder": "Indicate here whether events are logged and how long these traces are stored for.",
+ "source": "PIAF Connected Objects p22"
+ },
+ "PIA_TEC_MINI": {
+ "description": "The following methods could be used : Filtering and removal, Reducing sensitivity via conversion, Reducing the identifying nature of data, Reducing data accumulation, Restricting data access",
+ "name": "Minimising the amount of personal data",
+ "placeholder": "Indicate here means implemented to reduce the severity of risks by limiting the amount of personal data",
+ "source": "PIAF Connected Objects p40"
+ },
+ "PIA_TEC_PAP": {
+ "description": "Where paper documents containing data are used during the processing, indicate here how they are printed, stored, destroyed and exchanged.",
+ "name": "Paper document security",
+ "placeholder": "Indicate here whether mechanisms are implemented for integrity monitoring of paper documents, which ones and for what purpose.",
+ "source": "PIAF Connected Objects p22"
+ },
+ "PIA_VAL_ACT": {
+ "description": "corrective controls suggested by the assessor in previous steps, drawing up an action plan setting out, for each action, its manager, frequency, difficulty, cost and progress.",
+ "name": "Action plan",
+ "source": "None"
+ },
+ "PIA_VAL_CART": {
+ "description": "Graph illustrating the good security practices, with a conformity value attributed to each on the basis of its assessment in previous steps.",
+ "name": "Mapping of risks",
+ "source": "PIAF Connected Objects p34"
+ },
+ "PIA_VAL_CONC": {
+ "description": "Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations. See Art. 35.9 of the [GDPR]
These views may be gathered by diverse means, depending on the context (internal or external study on the processing methods and purpose, question for the attention of staff representatives or trade unions, survey among future customers of the data processor). Where the data controller decides to go against the views of the data subjects, he must note down the justification for this decision. Where the data controller considers that gathering the views of the data subjects is not relevant, he must also note down the justification thereof.",
+ "name": "Data subject's opinion",
+ "source": "GDPR Art. 35.9 and PIAF Connected Objects p38"
+ },
+ "PIA_VAL_DPO": {
+ "description": "The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment. See Art. 35.2 of the [GDPR]
This view may be against the processing being implemented, without restricting the decision of the data controller for all that.",
+ "name": "DPO's opinion",
+ "source": "GDPR Art. 35.2 and PIAF Connected Objects p37"
+ },
+ "PIA_VAL_RT": {
+ "description": "Decide on whether the selected controls, residual risks and action plan are acceptable, with justifications, in view of the previously identified stakes and views of the stakeholders. In this way, the PIA may be:
- validated
- conditional on improvement (explain in what way)
- refused (along with the processing under consideration). Where necessary, repeat the previous steps so that the PIA can be validated. This decision does not prejudge the compliance assessment which may be carried out, where applicable, by the Data Protection Authority (the CNIL in France), as part of preliminary formalities or checks for example.",
+ "name": "Formal validation",
+ "source": "PIAF Connected Objects p40"
+ }
+ },
+ "title": "Knowledge base"
+ },
+ "measures": {
+ "add": "Add an empty measure (otherwise, use the knowledge base)",
+ "default_placeholder": "Describe the existing or intended measures to ensure data security.",
+ "edit": "Edit measure",
+ "placeholder_title": "Measure title",
+ "remove": "Delete measure"
+ },
+ "misc": {
+ "display": "Show / Hide"
+ },
+ "modals": {
+ "abandon_pia": {
+ "additional_text": "Archiving is not definitive and the PIA can go back to it if needed.",
+ "content": "Do you wish to give up the processing?"
+ },
+ "action_plan_no_evaluation": {
+ "content": "You need to begin the review of the analysis to create the action plan.",
+ "review_section": "Review a section"
+ },
+ "archive": "Archive",
+ "archive_pia": {
+ "archive": "Archive PIA",
+ "content": "Warning,
Are you sure you want to
archive this PIA ?"
+ },
+ "ask_for_evaluation": {
+ "content": "This section is ready to be reviewed."
+ },
+ "back_to_edition": {
+ "content": "This section has been sent back for editing.
Several fields must be corrected
to enable its proper review."
+ },
+ "back_to_evaluation": {
+ "content": "This section has been sent back for review.
Several fields must be reviewed
to enable its proper validation."
+ },
+ "back_to_home": "Back to home",
+ "cancel": "Cancel",
+ "close": "Close",
+ "completed_edition": {
+ "content": "The PIA has been fully edited and has to be reviewed."
+ },
+ "completed_evaluation": {
+ "content": "The PIA has been fully reviewed and can be validated."
+ },
+ "continue": "Continue",
+ "declare_measures": {
+ "content": "Before evaluating risks,
you must report the
existing or planned measures.",
+ "declare": "Declare existing or planned measures"
+ },
+ "dpo_missing_evaluations": {
+ "comment": "Comment",
+ "content": "You need to complete the review of the analysis to access the DPO page.",
+ "remove": "Remove",
+ "review_section": "Review a section"
+ },
+ "general_error": {
+ "content": "All our apologies an error has occurred."
+ },
+ "import_wrong_pia_file": {
+ "content": "The imported file doesn't correspond to a PIA report file."
+ },
+ "import_wrong_structure_file": {
+ "content": "The imported file doesn't correspond to a PIA template file."
+ },
+ "knowledge": {
+ "content": "Are you sure you want to delete this element?",
+ "remove": "Delete this element"
+ },
+ "knowledges": {
+ "content": "Are you sure you want to delete this knowledge base?",
+ "remove": "Delete this knowledge base"
+ },
+ "modal_select_text_pia": {
+ "content": "The content of the PIA has been copied to clipboard."
+ },
+ "not_enough_measures_to_remove": {
+ "content": "Warning,
At least one measure must be filled: no deletion possible."
+ },
+ "recover_version": {
+ "continue": "Continue",
+ "message": "By continuing, you will restore this report version: {{date}}.
The current version will be saved.",
+ "title": "Restore a previous version"
+ },
+ "refuse_pia": {
+ "content": "As you have rejected the PIA, it is sent back for review to make the required changes."
+ },
+ "remove_attachment": {
+ "comment": "Comment",
+ "content": "Warning,
Are you sure you want to
remove this attachment?",
+ "keep": "Keep",
+ "remove": "Remove"
+ },
+ "remove_measure": {
+ "content": "Warning,
Are you sure you want to
remove this measure?",
+ "keep": "Keep this
measure",
+ "remove": "Remove this
measure"
+ },
+ "remove_pia": {
+ "content": "Warning,
Are you sure you want to
remove permanently this PIA?",
+ "remove": "Remove this PIA"
+ },
+ "remove_question": {
+ "content": "Are you sure you want to delete the question?",
+ "keep": "Cancel",
+ "remove": "Delete"
+ },
+ "remove_structure": {
+ "content": "Warning,
Are you sure you want
to delete the template?",
+ "remove": "Delete template"
+ },
+ "same_comment": {
+ "content": "Warning,
Please enter a comment different from the last recorded."
+ },
+ "signed_pia_validation": {
+ "content": "To approve the PIA, attach the signed report.",
+ "download_pia": "Download report"
+ },
+ "simple_pia_validation": {
+ "content": "You have approved the PIA."
+ },
+ "start_evaluation": "Start review",
+ "unarchive_pia": {
+ "content": "Warning,
Are you sure you want to
unarchive this PIA ?",
+ "unarchive": "Unarchive PIA"
+ },
+ "update_server_url_nok": {
+ "content": "The connection with the server is not possible: please check the filled URL.",
+ "introspect": "The Client ID and Client SECRET have not been validated by the server, please check them."
+ },
+ "update_server_url_ok": {
+ "content": "The server address has been updated."
+ },
+ "validate_evaluation": {
+ "content": "This section is ready for validating the PIA."
+ },
+ "validate_evaluation_to_correct": {
+ "content": "Sorry,
Several fields must be corrected.
Return to edition mode
to make corrections."
+ },
+ "users": {
+ "delete": {
+ "content": "Warning,
Are you sure you want to
delete this user ?",
+ "confirm": "Delete this user",
+ "pia_exist": "This user is assigned to one or more PIAs, you will need to re-assign users on them."
+ }
+ }
+ },
+ "onboarding": {
+ "dashboard": {
+ "step1": {
+ "description": "Click on the + to create your first PIA.",
+ "title": "Create a PIA"
+ },
+ "step2": {
+ "description": "Editors write the first version of the analysis.
They are, for example, the project managers associated with the data processing.
",
+ "title": "PIA's roles"
+ },
+ "step3": {
+ "description": "Reviewers are involved in a second phase.
They use their legal or technical expertise to check the quality and compliance of the processing.
They are, for example, DPO, legal experts, ...
",
+ "title": "PIA's roles"
+ },
+ "step4": {
+ "description": "The validator accepts or rejects the implementation of the processing. He must sign the analysis.
He is the controller, e.g. the CEO.
",
+ "title": "PIA's roles"
+ },
+ "step5": {
+ "description": "Templates are an advanced feature. They are used to create a pre-filled basis for the analysis.
You can create templates by going to the associated section accessible from the top menu.
",
+ "title": "Templates"
+ }
+ },
+ "entry": {
+ "step1": {
+ "description": "To move from one part of the analysis to another, use the left navigation menu.",
+ "title": "Browse"
+ },
+ "step2": {
+ "description": "This is used to explain the purpose of the processing and how it will be implemented.",
+ "title": "Context"
+ },
+ "step3": {
+ "description": "These aim to ensure that the processing complies with the GDPR.",
+ "title": "Fundamental principles"
+ },
+ "step4": {
+ "description": "These describe the security measures already planned for the processing operation and make it possible to assess its potential impact on the data subjects.",
+ "title": "Risks"
+ },
+ "step5": {
+ "description": "This allows the DPO to express her opinion on the implementation of the processing and the controller to accept or refuse it.",
+ "title": "Validation"
+ },
+ "step6": {
+ "description": "It provides contextual assistance in carrying out the analysis and is based on the GDPR, the security guide and the CNIL's PIA guides
In addition to these contents, you can also create your own knowledge bases to easily access information specific to your organization.
",
+ "title": "The knowledge base"
+ },
+ "step7": {
+ "description": "At any time during the analysis, you can download the analysis in various formats to share it with your colleagues.",
+ "title": "Export your PIA"
+ }
+ },
+ "evaluation": {
+ "step1": {
+ "description": "The evaluation can take an entire section into account, or at the level of each element of a section.",
+ "title": "Evaluate the PIA"
+ },
+ "step2": {
+ "description": "This evaluation indicates to the editors that elements are missing in order to make a relevant assessment.
The assessor must indicate these in the associated evaluation comment field. The editor will make the necessary corrections.
",
+ "title": "To correct"
+ },
+ "step3": {
+ "description": "This assessment indicates the processing elements to be revised. They are detailed in the action plan / corrective action field.
These measures will be automatically added to the action plan part of the analysis. It is necessary to implement them as soon as possible.
",
+ "title": "Improvable"
+ },
+ "step4": {
+ "description": "This assessment means that this part of the processing can be implemented without modification.",
+ "title": "Acceptable"
+ },
+ "step5": {
+ "description": "If the assessment of a section has not yet begun, the request forassessment may be cancelled to make changes to the processing description.",
+ "title": "Cancel a request"
+ }
+ },
+ "general": {
+ "done": "Confirm",
+ "next": "Next",
+ "skip": "Skip"
+ },
+ "validated": {
+ "step1": {
+ "description": "A complete and validated analysis can be consulted at any time via a dedicated interface.",
+ "title": "Consult a validated PIA"
+ },
+ "step2": {
+ "description": "It is necessary to review regularly an analysis. You can edit or duplicate it at any time to review its content according to the processing evolution.",
+ "title": "Update a validated PIA"
+ }
+ }
+ },
+ "opinions": {
+ "content": ", consider that :",
+ "dpo_lock": "Please complete the other sections before you can fill the DPO opinion.",
+ "dpo_opinion": "DPO opinion",
+ "edit": "Edit",
+ "people_opinion": "Concerned people opinion",
+ "placeholder_concerned_people_name": "Concerned people name(s)",
+ "placeholder_dpo_name": "DPO name(s)",
+ "placeholder_dpo_opinion": "Specify the reasons for your choice.",
+ "placeholder_people_opinion": "Describe how the opinions were collected and what the analysis is. If the opinions have not been sought, state the reasons.",
+ "placeholder_search_content": "Justify the reason why the opinion of the persons concerned has not been requested.",
+ "treatment_lock": "Please complete the other sections before you can fill the opinions of the persons concerned.",
+ "treatment_nok": "The treatment should not be used.",
+ "treatment_ok": "The treatment could be implemented."
+ },
+ "overview-risks": {
+ "important": "Important",
+ "limited": "Limited",
+ "maximal": "Maximal",
+ "measures": "Measures",
+ "negligible": "Negligible",
+ "potential_impacts": "Potential impacts",
+ "risk-access_x": "Severity",
+ "risk-access_y": "Likelihood",
+ "risk-change_x": "Severity",
+ "risk-change_y": "Likelihood",
+ "risk-disappearance_x": "Severity",
+ "risk-disappearance_y": "Likelihood",
+ "sources": "Sources",
+ "threat": "Threats"
+ },
+ "pia": {
+ "attachments": {
+ "add": "Add",
+ "download": "Download the attachment",
+ "loading": "Uploading...",
+ "remove": "Remove",
+ "title": "Attachments",
+ "no_attachment": "No attachment available"
+ },
+ "footer": {
+ "ask_evaluation": "Ask for review",
+ "mandatory_fields": "All fields must be filled",
+ "structure_add_question": "Add a question",
+ "subsection_validated": "Subsection reviewed, awaiting final validation",
+ "validate_evaluation": "Validate review"
+ },
+ "header": {
+ "display_action_plan": "Display
action plan",
+ "edition": "Edition",
+ "evaluation": "Evaluation",
+ "preview": "Preview"
+ },
+ "sections": {
+ "based_on_structure_name": "Based on template:",
+ "homepage_link": "Back to dashboard",
+ "refuse_pia": "Refused PIA",
+ "status": {
+ "evaluation": {
+ "cancel": "cancel the review request.",
+ "cancel_button": "Cancel the review request",
+ "content": "This part has not yet been reviewed. If you wish to edit the content submitted for review you have to ",
+ "title": "Waiting for review."
+ },
+ "validation": {
+ "cancel": "cancel the validation request.",
+ "cancel_button": "Cancel the validation request",
+ "content": "This part has been reviewed and is waiting for the overall PIA validation. If you wish to change the review, you have to ",
+ "title": "Waiting for validation."
+ }
+ },
+ "validate_pia": "Validate PIA"
+ },
+ "statuses": [
+ "In progress",
+ "Rejected",
+ "Simple validation",
+ "Signed validation",
+ "Archived",
+ "Waiting for validation"
+ ]
+ },
+ "questions": {
+ "edit": "Edit question",
+ "gauges": [
+ "(Undefined)",
+ "Negligible",
+ "Limited",
+ "Important",
+ "Maximum"
+ ],
+ "placeholder_title": "Question title (mandatory)",
+ "remove": "Delete question"
+ },
+ "rejection_page": {
+ "applied_adjustments": "Adjustments proposed",
+ "applied_adjustments_placeholder": "Describe the changes brought to the PIA.",
+ "button": {
+ "abandon_treatment": "Abandon processing",
+ "reject_pia": "Reject PIA",
+ "send_for_validation": "Resend for approval"
+ },
+ "previous_rejection": "Previous refusal",
+ "rejection_reason": "Refusal reason",
+ "rejection_reason_placeholder": "Describe the reasons for refusing the PIA.",
+ "title": "Validation history"
+ },
+ "sections": {
+ "1": {
+ "items": {
+ "1": {
+ "questions": {
+ "1": {
+ "placeholder": "Present a brief outline of the processing: its name, purposes, stakes, context of use, etc.",
+ "title": "What is the processing under consideration?"
+ },
+ "2": {
+ "placeholder": "Describe the responsibilities of the stakeholders: the data controller, the possible data processors and joint controllers.",
+ "title": "What are the responsibilities linked to the processing?"
+ },
+ "3": {
+ "placeholder": "List the relevant standards applicable to the processing, especially approved codes of conduct and data protection certifications.",
+ "title": "Are there standards applicable to the processing?"
+ }
+ },
+ "short_help": "This part allows you to identify and present the object of the study.",
+ "title": "Overview"
+ },
+ "2": {
+ "questions": {
+ "1": {
+ "placeholder": "List the data collected and processed. Define for each the storage durations, the recipients and persons with access thereto.",
+ "title": "What are the data processed?"
+ },
+ "2": {
+ "placeholder": "Present and describe how the product generally works (from the data collection to the data destruction, the different processing stages, storage, etc.), using for example a diagram of data flows (add it as an attachment) and a detailed description of the processes carried out.",
+ "title": "How does the life cycle of data and processes work?"
+ },
+ "3": {
+ "placeholder": "List the data supporting assets (operating systems, business applications, database management systems, office suites, protocols, configurations, etc.)",
+ "title": "What are the data supporting assets?"
+ }
+ },
+ "short_help": "This part allows you to define and describe the scope of the processing in detail.",
+ "title": "Data, processes and supporting assets"
+ }
+ },
+ "short_help": "This section gives you a clear view of the treatment(s) of personal data in question.",
+ "title": "Context"
+ },
+ "2": {
+ "items": {
+ "1": {
+ "questions": {
+ "1": {
+ "placeholder": "Explain why the processing purposes are specified, explicit and legitimate.",
+ "short_title": "Purposes",
+ "title": "Are the processing purposes specified, explicit and legitimate?"
+ },
+ "2": {
+ "placeholder": "Describe what is/are the legal basis of your processing (ex: consent, performance of a contract, compliance with a legal obligation, protecting the vital intests, etc.)",
+ "short_title": "Legal basis",
+ "title": "What are the legal basis making the processing lawful?"
+ },
+ "3": {
+ "placeholder": "Explain why each of the data collected is necessary for the purposes of your processing.",
+ "short_title": "Adequate data",
+ "title": "Are the data collected adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation')?"
+ },
+ "4": {
+ "placeholder": "Describe which are the steps taken to ensure the quality of the data.",
+ "short_title": "Data accuracy",
+ "title": "Are the data accurate and kept up to date?"
+ },
+ "5": {
+ "placeholder": "Explain why the storage durations are justified by legal requirements and/or processing needs.",
+ "short_title": "Storage duration",
+ "title": "What are the storage duration of the data?"
+ }
+ },
+ "short_help": "This part allows you to demonstrate the legitimacy of your treatment and of the data processed.",
+ "title": "Proportionality and necessity"
+ },
+ "2": {
+ "questions": {
+ "1": {
+ "placeholder": "Describe what is the information given to the data subjects and what are the means to do it.",
+ "short_title": "Information for the data subjects",
+ "title": "How are the data subjects informed on the processing?"
+ },
+ "2": {
+ "placeholder": "Describe the controls intended to ensure that users' consent has been obtained.",
+ "short_title": "Obtaining consent",
+ "title": "If applicable, how is the consent of data subjects obtained?"
+ },
+ "3": {
+ "placeholder": "Describe the controls intended for enabling data subjects to access, receive and transmit their data.",
+ "short_title": "Right of access and to data portability",
+ "title": "How can data subjects exercise their rights of access and to data portability?"
+ },
+ "4": {
+ "placeholder": "Describe the controls intended for enabling data subjects to rectify and erase their data.",
+ "short_title": "Right to rectification and erasure",
+ "title": "How can data subjects exercise their rights to rectification and erasure?"
+ },
+ "5": {
+ "placeholder": "Describe the controls intended for enabling data subjects to restrict and to object to the processing of their data.",
+ "short_title": "Right to restriction and to object",
+ "title": "How can data subjects exercise their rights to restriction and to object?"
+ },
+ "6": {
+ "placeholder": "For each processor, describe his responsibilities (duration, scope, purpose, documented processing instructions, prior authorisation) and provide the contracts, codes of conduct and certifications determining its missions and obligations.",
+ "short_title": "Subcontracting",
+ "title": "Are the obligations of the processors clearly identified and governed by a contract?"
+ },
+ "7": {
+ "placeholder": "For each country outside the European Union where data are stored or processed, name it and tell if it is acknowledged as offering an adequate level of data protection or describe the provisions concerning the transfer.",
+ "short_title": "Transfers",
+ "title": "In the case of data transfer outside the European Union, are the data adequately protected?"
+ }
+ },
+ "short_help": "This part allows you to demonstrate that you are implementing the necessary means to enable the persons concerned to exercise their rights.",
+ "title": "Controls to protect the personal rights of data subjects"
+ }
+ },
+ "short_help": "This section allows you to build the compliance framework for privacy principles.",
+ "title": "Fundamental principles"
+ },
+ "3": {
+ "items": {
+ "1": {
+ "short_help": "This section allows you to identify controls (existing or planned) that contribute to data security.",
+ "title": "Planned or existing measures"
+ },
+ "2": {
+ "questions": {
+ "1": {
+ "placeholder": "Enter the potential impacts",
+ "title": "What could be the main impacts on the data subjects if the risk were to occur?"
+ },
+ "2": {
+ "placeholder": "Enter the threats",
+ "title": "What are the main threats that could lead to the risk?"
+ },
+ "3": {
+ "placeholder": "Enter the risk sources",
+ "title": "What are the risk sources?"
+ },
+ "4": {
+ "placeholder": "Click here to select controls which address the risk.",
+ "title": "Which of the identified planned controls contribute to addressing the risk?"
+ },
+ "5": {
+ "placeholder": "Justify here the estimated severity of the risk.",
+ "title": "How do you estimate the risk severity, especially according to potential impacts and planned controls?"
+ },
+ "6": {
+ "placeholder": "Justify here the estimated likelihood.",
+ "title": "How do you estimate the likelihood of the risk, especially in respect of threats, sources of risk and planned controls?"
+ }
+ },
+ "short_help": "Analyze the causes and consequences of illegitimate access to data, and estimate its severity and likelihood.",
+ "title": "Illegitimate access to data"
+ },
+ "3": {
+ "questions": {
+ "1": {
+ "placeholder": "Enter the potential impacts",
+ "title": "What could be the main impacts on the data subjects if the risk were to occur?"
+ },
+ "2": {
+ "placeholder": "Enter the threats",
+ "title": "What are the main threats that could lead to the risk?"
+ },
+ "3": {
+ "placeholder": "Enter the risk sources",
+ "title": "What are the risk sources?"
+ },
+ "4": {
+ "placeholder": "Click here to select controls which address the risk.",
+ "title": "Which of the identified controls contribute to addressing the risk?"
+ },
+ "5": {
+ "placeholder": "Justify here the estimated severity of the risk.",
+ "title": "How do you estimate the risk severity, especially according to potential impacts and planned controls?"
+ },
+ "6": {
+ "placeholder": "Justify here the estimated likelihood.",
+ "title": "How do you estimate the likelihood of the risk, especially in respect of threats, sources of risk and planned controls?"
+ }
+ },
+ "short_help": "Analyze the causes and consequences of an undesired change in data, and estimate its seriousness and likelihood.",
+ "title": "Unwanted modification of data"
+ },
+ "4": {
+ "questions": {
+ "1": {
+ "placeholder": "Enter the potential impacts",
+ "title": "What could be the main impacts on the data subjects if the risk were to occur?"
+ },
+ "2": {
+ "placeholder": "Enter the threats",
+ "title": "What are the main threats that could lead to the risk?"
+ },
+ "3": {
+ "placeholder": "Enter the risk sources",
+ "title": "What are the risk sources?"
+ },
+ "4": {
+ "placeholder": "Click here to select controls which address the risk.",
+ "title": "Which of the identified controls contribute to addressing the risk?"
+ },
+ "5": {
+ "placeholder": "Justify here the estimated severity of the risk.",
+ "title": "How do you estimate the risk severity, especially according to potential impacts and planned controls?"
+ },
+ "6": {
+ "placeholder": "Justify here the estimated likelihood.",
+ "title": "How do you estimate the likelihood of the risk, especially in respect of threats, sources of risk and planned controls?"
+ }
+ },
+ "short_help": "Analyze the causes and consequences of data loss, and estimate its seriousness and likelihood.",
+ "title": "Data disappearance"
+ },
+ "5": {
+ "short_help": "This visualisation allows you to have a global and synthetic view on the controls effects on the risks they address.",
+ "title": "Risks overview"
+ }
+ },
+ "short_help": "This section allows you to assess the privacy risks, taking into account existing or planned controls.",
+ "title": "Risks"
+ },
+ "4": {
+ "items": {
+ "1": {
+ "short_help": "This visualisation allows you to compare the positioning of the risks between them, before and after application of the complementary controls.",
+ "title": "Risk mapping"
+ },
+ "2": {
+ "short_help": "Plan in detail the implementation of the additional controls identified during the PIA. The action plan is automatically updated when evaluating the different elements comprised in the PIA.",
+ "title": "Action plan"
+ },
+ "3": {
+ "short_help": "Present the advice of the person in charge of data protection and privacy issues (data protection delegate if there is one). Present the views of the data subjects or their representatives.",
+ "title": "DPO and data subjects' opinions"
+ },
+ "4": {
+ "title": "Validate the PIA"
+ },
+ "5": {
+ "title": "Rejected PIA"
+ }
+ },
+ "short_help": "This section allows you to prepare and formalise the PIA validation.",
+ "title": "Validation"
+ }
+ },
+ "settings": {
+ "content": "Please, provide the address (URL) of the remote server:",
+ "title": "Settings",
+ "update": "Update URL"
+ },
+ "summary": {
+ "action_plan": {
+ "fundamental_principles": "Fundamental principles",
+ "implementation_date": "Expected date of implementation",
+ "implementation_responsible": "Responsible for implementation",
+ "measures": "Existing or planned measures",
+ "no_action_plan": "No action plan recorded.",
+ "risks": "Risks",
+ "title": "Action plan"
+ },
+ "actions": {
+ "complete_download": "Download the full report",
+ "complete_download_desc": "Export in a .zip archive all the report content (.doc and pictures), attachments and the action plan in a .csv format.",
+ "individual_download": "Download elements of the report",
+ "individual_download_desc": "Export specific elements of the report.",
+ "individual_download_pdf": "PIA report (.pdf)",
+ "individual_download_doc": "Texts (.doc)",
+ "individual_download_images": "Visual elements (.png) including the risk overview, the risk mapping and the action plan.",
+ "individual_download_json": "TO TRANSLATE - Report to import into the PIA tool (.json file)",
+ "individual_download_select": "Select elements to export:",
+ "individual_to_download": "Download",
+ "print": "Print the report",
+ "print_and_download": "Print and download"
+ },
+ "attachments": "Attachments",
+ "concerned_people_name": "Concerned people opinions",
+ "concerned_people_opinion": "Concerned people opinions",
+ "concerned_people_searched_opinion": "Search of concerned people opinion",
+ "concerned_people_status": "Concerned people statuses",
+ "concerned_people_unsearched_opinion_comment": "Reason why concerned people opinion wasn't requested",
+ "content_choice": [
+ "The treatment should not be used.",
+ "The treatment could be implemented."
+ ],
+ "creation_date": "Creation date",
+ "csv_action_plan_comment": "Action plan comment",
+ "csv_evaluation_comment": "Evaluation comment",
+ "csv_file_title": "action-plan",
+ "csv_implement_date": "Estimated implementation date",
+ "csv_people_in_charge": "Person in charge",
+ "csv_section": "Section",
+ "csv_title_object": "Title",
+ "download_csv": "Action plan (.csv)",
+ "dpo_name": "DPO's name",
+ "dpo_opinion": "DPO's opinion",
+ "dpo_status": "DPO's status",
+ "gauges": {
+ "1": "Negligible",
+ "2": "Limited",
+ "3": "Important",
+ "4": "Maximum"
+ },
+ "modification_made": "Modifications made",
+ "people_search_status_nok": "Concerned people opinion wasn't requested.",
+ "people_search_status_ok": "Concerned people opinion was requested.",
+ "pia_assessor": "Assessor's name",
+ "pia_author": "Author's name",
+ "pia_name": "PIA",
+ "pia_validator": "Validator's name",
+ "preview_dpo_opinion": "TO TRANSLATE - DPO and data subjects opinion",
+ "preview_edition": "Editing",
+ "preview_evaluation": "Evaluation",
+ "preview_no_data": "No data to display.",
+ "preview_status": "Status",
+ "preview_subtitle": "General information",
+ "preview_title": "Preview",
+ "preview_validation": "Validation",
+ "preview_validation_section": "Validation",
+ "preview_guests": "Guests",
+ "previous_page": "Back to previous page",
+ "rejection_reason": "Rejection reason",
+ "revision": {
+ "current_version": "Current version",
+ "pia_version": "PIA versions",
+ "restore_version": "Restore",
+ "revision": "Versions and revision",
+ "save": "Create a new version",
+ "show": "Display the {{length}} versions"
+ },
+ "risks_cartography_title": "Risk mapping",
+ "risks_overview_title": "Risks overview",
+ "title": "PIA information"
+ },
+ "users": {
+ "add_new_user": "Add a new user",
+ "cancel": "Cancel",
+ "choose_profile": "Choose a profile for this user",
+ "continue": "Continue",
+ "data": "Data",
+ "edit_user": "Edit an user",
+ "email": "Email",
+ "first_name": "First name",
+ "functional_admin": "Functional administrator",
+ "last_name": "Last name",
+ "new_user_button": "New user",
+ "profile": "Profile",
+ "remove": "Delete",
+ "remove_current_user_error_message": "You can't delete your own account.",
+ "remove_last_functional_admin_error_message": "You cannot delete this user because at least one Technical Administrator account must remain.",
+ "remove_user_with_linked_pias_error_message": "Several PIAs are attached to this user, so you cannot delete him.",
+ "technical_admin": "Technical administrator",
+ "update": "Update",
+ "user": "User",
+ "state": "Account's state",
+ "errors": {
+ "edit_user": {
+ "406": "The information provided when creating the account is invalid."
+ }
+ },
+ "delete": {
+ "confirm": "Remove user",
+ "content": "Are you sure you want to delete this user?"
+ },
+ "access_locked": {
+ "false": "Active",
+ "true": "Waiting for activation"
+ },
+ "role": {
+ "label": "Role(s)",
+ "author": "Author",
+ "evaluator": "Evaluator",
+ "validator": "Validator",
+ "guest": "Guest"
+ }
+ },
+ "validation_page": {
+ "add_signed_pia": "Add the signed PIA",
+ "after_reading": "After reading full PIA relating to the data processing linked to ",
+ "button": {
+ "rejection": "Reject PIA",
+ "signed_validation": "Approve PIA
(signed)",
+ "simple_validation": "Approve PIA
(direct)"
+ },
+ "confirmation1": "I attest that the context of the processing described in the PIA is consistent with the reality.",
+ "confirmation2": "I attest that I am aware of the risks depending on the existing or planned measures.",
+ "confirmation3": "I ratify the corrective actions indicated in the action plan.",
+ "confirmation4": "I commit to implement as quickly as possible the indicated corrective actions.",
+ "latest_signed_attachment": "Last signed attachment",
+ "mandatory_fields": "All boxes must be checked",
+ "remove_attachment": "Remove the attachment",
+ "responsible": "Person accountable for validating the PIA: ",
+ "signed_attachments_history": "Signed attachments history",
+ "tools": {
+ "dashboard": "Dashboard",
+ "display_pia": "Display report"
+ },
+ "validated_pia_with_signature": "Approved",
+ "waiting_for_signature": "Pending signed PIA"
+ }
+}