As the operator of a data-receiving system, you are obliged by the GDPR to create a register of processing activities. Based on this document, an attribute release is created for your service provider.

List of processing activities

A template and documentation can be found on the intranet:

• https://intranet.rwth-aachen.de/documents/20121/1362bc75-8d49-1d5c-371b-c76dd32adc88

Create a first draft and open a ticket at the ServiceDesk and attach your document. It will then be reviewed by Identity Management and a corresponding release will be configured. We recommend that you obtain a corresponding opinion from the data protection office.

Instructions for completing the directory:

From an identity management perspective, the following information is particularly important. For all other fields, you are welcome to contact the data protection office for advice.

• Please enter the entity ID of the service provider when naming the processing activity.

• The person responsible for the system must be listed under "Angaben zur verantwortlichen Einrichtung/Organisationseinheit". "Angaben zum ggf. gemeinsam mit diesem Verantwortlichen" is not applicable if the responsibility for the system lies with an organizational unit.

• Enter the attributes you consider necessary with the corresponding designations and also the data you have collected in your service in the "Description of the categories of personal data" field in the document. Please use the attribute description from the "Technical description" column in our documentation "Explanation of attributes".

Example for the documentation of requested Shibboleth attributes:

Selection of possible processing activities:

• https://intranet.rwth-aachen.de/documents/20121/0e650b4a-eecb-7fbf-864f-6e8f87520c9a

• Signature: The VVT must be signed by the head of the responsible facility.

Read more:

• https://intranet.rwth-aachen.de/group/guest/articledetailpage/-/asset_publisher/cadSeXJzMOzq/content/id/20838704