Entities

This section walks you through the various entities in the system without assuming you have any prior knowledge of how the system operates — it is not meant to be a comprehensive reference, but rather to help orient you as to how our system is put together now that you understand the purpose of the API as outlined previously.

Basics

First there are a few different “types” and low level concepts that the system is designed around.

Identity

At its core the Events API provides a system for managing information about individual people who are customers of a given data controller.

However, because the Events API itself does not store any Personal Data, in order to track Personal Data and link it to relevant entities within ALIAS, the IT team of your organization needs to associate individual people with a reference for ALIAS in a matching table or equivalent. Such a reference is referred to as an Identity.

ALIAS will provide unique identifiers for each Identity that needs to be tracked.

Natural vs Legal Persons

The Events API requires you to provide information for Natural Persons, which are actual human beings (alive or deceased) as well as Legal Persons, such as a corporation. These Persons will be individuals and entities associated with your organization, either in a specific role (e.g. CEO or DPO) or as a partner who also acts as a data processor on the Personal Data you collect.

DataSubjectCategory

A DataSubjectCategory is a classification scheme for Identities, or Data Subjects, to which common rules governing the use of their Personal Data will apply.

DataType and DataCategory

When it comes to managing the Personal Data of the various “Identities” tracked by the system, it becomes important to refer to different component elements of that data in classifications that pertain to how an atomic piece of data must be treated in order to be compliant with GDPR. We refer to these as DataTypes

Some examples of DataTypes include:

first name
last name
email

DataTypes are aggregated into larger sets or related DataTypes called a DataCategory. This is necessary for instance when a document is required for identification (say for employment) but it may be one of a variety of Data Types, such as a Passport vs. a Driver’s License.

DataTypes defined in the system may be obtained through the data-types endpoint.

EventType, Event, and EventFamily

An EventType is a classification of an occurrence within a client’s system that pertains to Personal Data that must be logged in a Treatment Sheet

EvenTypes have a trigger which is an action or time-based cause and attestation to the production of an Event.

Some EventTypes lead to the creation of data in client systems and as such are marked as “creative.”

An Event is an instance of a given EventType with an associated timestamp pertaining to a given Identity.

An EventFamily is a functional thematic group of event types

Some examples of EventFamilies include:

ConsentConsent or RevokeConsent
AcceptContract or RevokeContract

EventTypes defined in the system may be obtained through the event-types endpoint.

Supporting Entities

Now that we’ve covered some of the basics, this section will discuss some of the supporting entities in the system that are built on them.

DataSources and DataLocations

A DataSource is an abstraction of the medium in which PersonalData is stored. It could be a hard drive on site, a location in the data cloud or down the hallway in a filing cabinet.

A DataSource describes the location where customer data that is being tracked, specifically where it is in the overall system — that is:

how/where it is stored
to where it’s been replicated

This includes country data in order to make sure compliance is in accordance with that country’s rules. Additionally there is a storage state with possible values of production, legal, and history that classify the where the storage is used

A DataLocation is the precise location where a data item is stored within a DataSource. A DataLocation would be the equivalent of a path on a file system.

Replications

The ALIAS Event API also tracks Replications of data stored within a DataSource as storing Personal Data in data storage locations in different countries may have an impact on storage retention rules and other aspects of GDPR compliance.

LegalBase

A LegalBase provides a reference to the reason in the law (e.g. the GDPR) that provides the basis for acting in a particular manner in regards to PersonalData, such as the rules governing its retention. It will have an external reference in the form of a URL that acts as a citation.

Rules, Instructions, and Warnings

StorageDurationRule

StorageDurationRule describes how long a given Data Category may be persisted — this is associated with a legal basis as well as the type of events that cause the data to be stored

Instruction

An Instruction directs the client to perform a specific action (e.g. delete) on data at a specific location (specified by a Location object)

Warnings

Warning correspond to Instructions that have not yet been complied with.

FreezeRule

Aggregates the processing records affected by certain circumstances (i.e. legal proceedings) that require all use of particular Personal Data to cease. It may for instance prohibit moving data to legal storage or effectively put a hold on storage duration rules. ALIAS will suspend sending instructions regarding those Data Types instances.

Processing Records

The Processing Record

The ProcessingRecord is the central entity in the system for tracking the usage of Personal Data by a client system.

Processing Records correspond to the documentation that must legally be held by data controllers detailing the conditions under which a data processing operation has been carried out (who, does what, with what data, for what reasons, for how long, where ...).
All the compulsory information that must be included in a processing record is listed in Article 30 of the RGPD.

The data processors of a controller must also keep a file, with simplified information, for each processing operation they carry out on behalf of the controller.

DataTransfer

A Data Transfer is a subcomponent of Processing Record, for recording the transfer of data from one system to another with reference to the purpose as well as the recipient.

Transferring data from one storage location to another, especially when the location in which the data is stored is another country, can invoke certain GDPR rules.