{"workflow_id": "7a051f04-c91f-47a2-9346-b636dd522a82", "entity_description": "HR SaaS vendor 'PeopleFlow' processing payroll, performance reviews, absence data (incl. medical certificates), 'flight-risk' profiling for 1,200 employees across DE/NL/SE. US-based vendor, SCCs in place, sub-processor list includes AWS us-east-1 + analytics provider.", "generated_at": "2026-05-14T10:04:39.897461+00:00", "org_profile": {"jurisdiction": "DE"}, "screening": {"outcome": "DPIA required", "rationale": "Three Article 35(3) triggers fire concurrently: (a) systematic and extensive evaluation based on automated processing including 'flight-risk' profiling that materially affects employment decisions; (b) large-scale processing of special categories — medical certificates fall under Art. 9(1) health data — across 1,200 employees in three Member States; and (c) per the WP29 nine-criteria guidance adopted by EDPB, the combination of employee-context (vulnerable data subjects), large scale, sensitive data, evaluation/scoring, and international transfer crosses multiple thresholds. DE BfDI and NL AP mandatory DPIA lists both flag employee monitoring + profiling as triggering.", "exemption_basis": [], "criteria_triggered": [{"article": "GDPR Art. 35(3)(a)", "criterion": "Profiling with significant effect", "description": "Flight-risk score drives retention interventions, performance management cycles, succession planning — significantly affects the employee."}, {"article": "GDPR Art. 35(3)(b) + Art. 9(1)", "criterion": "Large-scale special-category data", "description": "Medical certificates (health data) for 1,200 employees across DE/NL/SE."}, {"article": "WP248 rev.01 (endorsed by EDPB)", "criterion": "WP29 nine-criteria — employees as vulnerable data subjects", "description": "Power asymmetry in employment context elevates risk."}, {"article": "BDSG §67 + BfDI Liste", "criterion": "Mandatory list — DE BfDI", "description": "Employee monitoring + behavioural profiling on the DE mandatory list."}, {"article": "AP Besluit DPIA-plichtig", "criterion": "Mandatory list — NL AP", "description": "Large-scale employee monitoring listed."}]}, "dpo_consultation": {"followed": true, "designated": true, "advice_date": "2026-05-08", "dpo_contact": "dpo@example-customer.eu", "advice_sought": true, "advice_summary": "DPO recommended (i) treating flight-risk as Article 22 automated decision-making with meaningful human review before any retention intervention; (ii) supplementary technical measures on top of SCCs for US transfers per EDPB Recommendations 01/2020 (encryption-at-rest with EU-held keys, pseudonymisation of identifiers before transfer); (iii) Article 88 Member-State carve-outs to be honoured — BDSG §26 (DE), UAVG art. 30 (NL), Diskrimineringslagen + Sjuklagen (SE); (iv) works-council/employee-representative consultation before go-live in DE and NL.", "recommendation": "Proceed with DPIA; do not deploy flight-risk in production until Article 22 safeguards and TIA supplementary measures are in place.", "deviation_rationale": null}, "processing_description": {"purposes": ["Operate payroll and statutory reporting", "Track absence and leave entitlement", "Run performance review cycles", "Predict flight-risk to inform retention interventions", "Workforce planning and headcount analytics"], "hri_count": 8, "data_types": [{"source": "employee, HRIS", "category": "Identity and contact", "art9_type": null, "volume_estimate": 1200, "retention_period": "employment + 10y (tax)", "sensitivity_flag": "normal"}, {"source": "HR, finance", "category": "Payroll (bank account, salary, tax ID)", "art9_type": null, "volume_estimate": 1200, "retention_period": "employment + 10y", "sensitivity_flag": "financial"}, {"source": "manager input, 360 reviews", "category": "Performance reviews + manager comments", "art9_type": null, "volume_estimate": 1200, "retention_period": "employment + 3y", "sensitivity_flag": "evaluative"}, {"source": "HR self-service", "category": "Absence and leave", "art9_type": null, "volume_estimate": 1200, "retention_period": "employment + 5y", "sensitivity_flag": "normal"}, {"source": "employee upload", "category": "Medical certificates (sick notes)", "art9_type": "health", "volume_estimate": 1200, "retention_period": "employment + 5y", "sensitivity_flag": "special"}, {"source": "PeopleFlow ML model", "category": "Flight-risk score and feature vector", "art9_type": null, "volume_estimate": 1200, "retention_period": "rolling 24m", "sensitivity_flag": "derived/profiling"}], "processors": [{"name": "PeopleFlow Inc.", "role": "primary processor", "country": "US"}, {"name": "AWS (us-east-1)", "role": "sub-processor — hosting", "country": "US"}, {"name": "Analytics Inc.", "role": "sub-processor — ML feature pipeline", "country": "US"}], "legal_basis": {"article_6_basis": "6(1)(b) contract for payroll/performance; 6(1)(c) legal obligation for tax + sickness reporting; 6(1)(f) legitimate interest for flight-risk — contested, see risk assessment", "article_10_basis": "N/A — no criminal-conviction data", "article_9_condition": "9(2)(b) employment, social security and social protection law — with Member-State carve-outs in BDSG §26 (DE), UAVG art. 30 (NL), and Diskrimineringslagen + Sjuklagen (SE)"}, "data_subjects": [{"type": "Employees (DE, NL, SE)", "vulnerable": true, "volume_estimate": 1200}, {"type": "Managers (referenced in performance comments)", "vulnerable": false, "volume_estimate": 180}], "recommended_scope": "Full DPIA covering all five processing purposes; flight-risk profiling drives the highest residual risk.", "high_risk_indicators": [{"id": "HRI-01", "name": "Evaluation/scoring (WP248)", "present": true, "rationale": "Flight-risk score affects retention/promotion."}, {"id": "HRI-02", "name": "Automated decision with legal/significant effect", "present": true, "rationale": "Score informs retention interventions and PIP triggers."}, {"id": "HRI-03", "name": "Systematic monitoring", "present": true, "rationale": "Continuous behavioural signal collection (login cadence, absence pattern, review tone)."}, {"id": "HRI-04", "name": "Sensitive or special-category data", "present": true, "rationale": "Health data via medical certificates."}, {"id": "HRI-05", "name": "Data processed on a large scale", "present": true, "rationale": "1,200 subjects × 7 data types × 3 jurisdictions."}, {"id": "HRI-06", "name": "Matching/combining datasets", "present": true, "rationale": "Performance + absence + payroll combined into flight-risk feature vector."}, {"id": "HRI-07", "name": "Data on vulnerable subjects", "present": true, "rationale": "Employees in power-asymmetric relationship."}, {"id": "HRI-08", "name": "Innovative technology", "present": false, "rationale": "Standard supervised ML — not novel."}, {"id": "HRI-09", "name": "Prevents data subjects from exercising a right or using a service", "present": true, "rationale": "Score may gate access to internal mobility programmes."}], "international_transfers": [{"mechanism": "SCCs (Module 2 controller-to-processor, 2021/914) + transfer impact assessment under Schrems II", "destination": "US"}, {"mechanism": "EU-US Data Privacy Framework — PeopleFlow self-certified; reliance pending TIA review", "destination": "US"}]}, "necessity_assessment": {"lia_assessment": {"outcome": "LIA fails for the as-designed feature set; mitigation must drop the failing features or add Art. 22 safeguards including meaningful human review and opt-out.", "purpose_test": "Retaining employees is a recognised legitimate interest of the controller.", "balancing_test": "Reasonable expectation of the employee is materially exceeded for the profiling purpose; processing of sick-leave frequency as a flight-risk feature is contrary to Recital 35 / Article 9(2)(b) carve-out scope.", "necessity_test": "Fails for sentiment-on-manager-comments and sick-leave-frequency features; passes for tenure + role-level + voluntary engagement-survey signals."}, "assessment_narrative": "Payroll, statutory absence reporting, and performance management are necessary for the employment contract and for legal obligations under DE/NL/SE tax + social security law. The flight-risk profiling purpose is not necessary for the contract; it is pursued on Article 6(1)(f) legitimate interest, which fails the balancing test for several feature inputs (manager-comment sentiment scoring, absence frequency as a flight-risk signal).", "alternatives_considered": [{"alternative": "Manual managerial judgement for retention conversations", "why_rejected": "Inconsistent and produces its own bias risk; rejected but kept as the human-review layer."}, {"alternative": "Anonymised cohort-level analytics (no per-employee score)", "why_rejected": "Useful for HR planning but does not deliver the per-employee trigger HR business sponsor wants — to be re-proposed in mitigation."}, {"alternative": "EU-resident processor with no US transfer", "why_rejected": "Considered; PeopleFlow EU has a 9-month waitlist. Re-evaluate at next vendor review."}], "proportionality_assessment": "Categories 1–4 are proportionate. Category 5 (medical certificates) is proportionate only when stored as a hash + metadata for absence-entitlement enforcement; the current vendor design ingests the full certificate body, which is disproportionate. Category 6 (flight-risk feature vector) is disproportionate as designed — includes inputs (sick-leave count, manager-comment sentiment) that elevate Art. 22 risk without commensurate benefit.", "data_minimisation_assessment": "Strip free-text manager-comment ingestion; pseudonymise identifiers before transfer to PeopleFlow; restrict medical-certificate processing to entitlement check only (do not pass body to ML pipeline)."}, "scope_and_methodology": {"assessment_date": "2026-05-14 09:59:18.250715+00:00", "assessment_end": "2026-05-14 10:04:17.940799+00:00", "frameworks_assessed": ["GDPR Article 35"], "documents_analyzed": [], "methodology": "GDPR Article 35; rights taxonomy + CNIL severity x likelihood (1..4 each, 1..16 product)"}, "risks": [{"id": "R-01", "description": "Unauthorised disclosure of medical certificates via PeopleFlow document store misconfiguration or sub-processor breach.", "category": "confidentiality", "affected_rights": [{"right": "Confidentiality of health data", "article": "GDPR Art. 9(1)"}, {"right": "Security of processing", "article": "GDPR Art. 32"}], "harm_description": "Significant material and non-material harm; potential employment-discrimination consequences if employer infers disability.", "data_types_affected": ["Medical certificates", "Absence and leave"]}, {"id": "R-02", "description": "Discriminatory or otherwise unfair flight-risk score produced by ML model trained on biased historical retention data.", "category": "rights", "affected_rights": [{"right": "Right not to be subject to solely automated decision-making", "article": "GDPR Art. 22"}, {"right": "Fairness and lawfulness", "article": "GDPR Art. 5(1)(a)"}, {"right": "Non-discrimination", "article": "EU Charter Art. 21"}], "harm_description": "Employees mislabelled as flight risks may be excluded from succession, training, promotion — silent career harm.", "data_types_affected": ["Flight-risk score and feature vector", "Performance reviews", "Absence and leave"]}, {"id": "R-03", "description": "International transfer to US without effective safeguards — government access to data under FISA 702 / EO 12333 even with SCCs in place.", "category": "rights", "affected_rights": [{"right": "Restriction on third-country transfers", "article": "GDPR Art. 44–46"}, {"right": "Effective remedy", "article": "EU Charter Art. 47"}], "harm_description": "EDPB Recommendations 01/2020 require supplementary measures; SCCs alone are insufficient (Schrems II).", "data_types_affected": ["All categories"]}, {"id": "R-04", "description": "Function-creep: flight-risk score reused for layoff selection or compensation decisions beyond original purpose.", "category": "rights", "affected_rights": [{"right": "Purpose limitation", "article": "GDPR Art. 5(1)(b)"}], "harm_description": "Score weaponised in decisions employees never consented to; loss of trust; potential collective bargaining dispute.", "data_types_affected": ["Flight-risk score and feature vector"]}, {"id": "R-05", "description": "Manager-comment sentiment scoring captures subjective evaluative language and turns it into a quantified signal employees cannot effectively rebut.", "category": "rights", "affected_rights": [{"right": "Right to rectification", "article": "GDPR Art. 16"}, {"right": "Fairness", "article": "GDPR Art. 5(1)(a)"}], "harm_description": "Opaque scoring loop; employees cannot challenge the underlying sentiment classification.", "data_types_affected": ["Performance reviews", "Flight-risk score and feature vector"]}, {"id": "R-06", "description": "Sick-leave count used as flight-risk feature — indirect special-category processing of health data outside the Art. 9(2)(b) employment-law carve-out.", "category": "rights", "affected_rights": [{"right": "Processing of special categories", "article": "GDPR Art. 9"}, {"right": "Recital 35", "article": "GDPR Recital 35"}], "harm_description": "Health data fed into a non-health-purpose model; sickness becomes a career penalty signal.", "data_types_affected": ["Absence and leave", "Medical certificates", "Flight-risk score and feature vector"]}, {"id": "R-07", "description": "Data subject rights (access, erasure, objection, Art. 22 human-review) cannot be effectively exercised against a US processor at the technical layer.", "category": "rights", "affected_rights": [{"right": "Rights of the data subject", "article": "GDPR Arts. 15–22"}], "harm_description": "Right exists on paper, denied in practice; supervisory authority intervention required to enforce.", "data_types_affected": ["All categories"]}, {"id": "R-08", "description": "Excessive retention of feature vectors (rolling 24m) accumulates a longitudinal profile beyond minimisation principle.", "category": "rights", "affected_rights": [{"right": "Storage limitation", "article": "GDPR Art. 5(1)(e)"}, {"right": "Data minimisation", "article": "GDPR Art. 5(1)(c)"}], "harm_description": "Long-tail profile increases breach impact and erodes the proportionality basis of legitimate-interest claim.", "data_types_affected": ["Flight-risk score and feature vector"]}, {"id": "R-09", "description": "Privacy notice does not explain the flight-risk logic, significance, and envisaged consequences (Art. 13(2)(f) / 14(2)(g)).", "category": "rights", "affected_rights": [{"right": "Information to the data subject", "article": "GDPR Arts. 13–14"}], "harm_description": "Employees cannot meaningfully exercise Art. 22 rights without knowing the score exists.", "data_types_affected": ["Flight-risk score and feature vector"]}, {"id": "R-10", "description": "DE works-council co-determination right (BetrVG §87) not honoured before deployment of behavioural monitoring system.", "category": "rights", "affected_rights": [{"right": "Member-State employment-law safeguards", "article": "GDPR Art. 88 + BDSG §26"}], "harm_description": "Deployment invalid in DE absent Betriebsvereinbarung; supervisory authority can order halt; works-council can apply for an injunction.", "data_types_affected": ["All categories"]}, {"id": "R-11", "description": "Sub-processor list change (PeopleFlow swaps analytics vendor) without controller approval breaks Art. 28(2) chain.", "category": "rights", "affected_rights": [{"right": "Processor obligations", "article": "GDPR Art. 28"}], "harm_description": "Loss of chain-of-custody; controller may be unable to demonstrate accountability under Art. 5(2).", "data_types_affected": ["All categories"]}, {"id": "R-12", "description": "Insufficient logging of access to flight-risk scores by HR business partners and managers.", "category": "integrity", "affected_rights": [{"right": "Integrity and confidentiality", "article": "GDPR Art. 5(1)(f)"}, {"right": "Security of processing", "article": "GDPR Art. 32"}], "harm_description": "Cannot detect or evidence misuse; weakens accountability under Art. 5(2).", "data_types_affected": ["Flight-risk score and feature vector"]}], "risk_analysis": [{"id": "R-01", "likelihood": "limited", "likelihood_score": 2, "likelihood_justification": "PeopleFlow has SOC 2 Type II + ISO 27001; AWS us-east-1 is mature; primary vector is misconfiguration of customer-managed access lists.", "severity": "significant", "severity_score": 3, "severity_justification": "Health data of 1,200 employees; per Recital 75 health-data disclosure produces significant harm. Multi-jurisdiction notification under Art. 33/34.", "safeguards": [{"risk_id": "R-01", "measure": "Customer-managed encryption keys (CMK) on the medical-certificate object store; envelope encryption with HSM-held KEK; document body encrypted before upload.", "type": "technical", "gdpr_article": "Art. 32(1)(a)", "effort": "medium", "score_before": 12, "score_after": 4, "justification": "Reduces blast radius if vendor account is compromised; vendor cannot read certificates without controller-held key."}, {"risk_id": "R-01", "measure": "Restrict medical-certificate ingestion to hash + entitlement metadata; do not pass body to ML pipeline.", "type": "organisational", "gdpr_article": "Art. 5(1)(c)", "effort": "low", "score_before": 12, "score_after": 3, "justification": "Eliminates the highest-impact disclosure path entirely — most data simply never crosses the trust boundary."}, {"risk_id": "R-01", "measure": "DPA Annex II TOMs review on PeopleFlow + sub-processors annually; pen-test of document-store ACLs.", "type": "contractual", "gdpr_article": "Art. 28(3)(c)", "effort": "low", "score_before": 6, "score_after": 3, "justification": "Catches misconfiguration drift."}], "score": 6, "residual_risk_score": 3}, {"id": "R-02", "likelihood": "significant", "likelihood_score": 3, "likelihood_justification": "Historical retention data reflects existing demographic skew; supervised models replay it. Vendor has no documented bias-mitigation pipeline.", "severity": "significant", "severity_score": 3, "severity_justification": "Discriminatory output silently shapes career outcomes; significant non-material harm to affected groups; potential collective claim risk under EU Charter Art. 21.", "safeguards": [{"risk_id": "R-02", "measure": "Pre-deployment fairness audit (demographic parity + equalised odds) per gender, age band, jurisdiction; published bias-mitigation report.", "type": "organisational", "gdpr_article": "Art. 35(7)(d)", "effort": "high", "score_before": 12, "score_after": 6, "justification": "Detects and corrects bias before production; ongoing quarterly re-audit."}, {"risk_id": "R-02", "measure": "Article 22 safeguard: meaningful human review before any retention intervention; documented override authority; employee right to contest.", "type": "organisational", "gdpr_article": "Art. 22(3)", "effort": "medium", "score_before": 12, "score_after": 4, "justification": "Score becomes advisory, not decisional; satisfies Article 22(3) suitable measures."}, {"risk_id": "R-02", "measure": "Drop manager-comment sentiment scoring and sick-leave count from the feature set.", "type": "technical", "gdpr_article": "Art. 5(1)(c)", "effort": "low", "score_before": 9, "score_after": 4, "justification": "Removes the two highest-bias inputs identified during scope review."}], "score": 9, "residual_risk_score": 4}, {"id": "R-03", "likelihood": "significant", "likelihood_score": 3, "likelihood_justification": "US is not adequate post-Schrems II without DPF reliance; PeopleFlow's DPF self-certification mitigates but does not eliminate FISA 702 exposure for the specific data categories.", "severity": "significant", "severity_score": 3, "severity_justification": "Government access to health + behavioural data has no effective remedy for the data subject in the US.", "safeguards": [{"risk_id": "R-03", "measure": "Supplementary technical measures per EDPB Recommendations 01/2020: encryption-at-rest with EU-held keys; pseudonymisation of identifiers (employee number, not name) before transfer.", "type": "technical", "gdpr_article": "Art. 46", "effort": "medium", "score_before": 12, "score_after": 6, "justification": "Reduces effective accessibility of cleartext to US authorities."}, {"risk_id": "R-03", "measure": "Transfer Impact Assessment (TIA) documented per EDPB methodology; re-run on any sub-processor change or DPF status change.", "type": "organisational", "gdpr_article": "Art. 46 + EDPB Rec. 01/2020", "effort": "medium", "score_before": 9, "score_after": 6, "justification": "Demonstrable accountability."}, {"risk_id": "R-03", "measure": "Module 2 SCCs Clauses 14 + 15 obligations explicitly in DPA; vendor onward-disclosure notice within 72h.", "type": "contractual", "gdpr_article": "Art. 28 + 46(2)(c)", "effort": "low", "score_before": 6, "score_after": 4, "justification": "Detects compelled-disclosure events."}], "score": 9, "residual_risk_score": 4}, {"id": "R-04", "likelihood": "significant", "likelihood_score": 3, "likelihood_justification": "Score is attractive for unrelated HR decisions; pressure to reuse during workforce reductions is predictable.", "severity": "limited", "severity_score": 2, "severity_justification": "Reusing the score for layoff selection would compound R-02 harm; isolated reuse limited in severity unless paired with discrimination.", "safeguards": [{"risk_id": "R-04", "measure": "Purpose-binding policy: flight-risk score may not be used for compensation, layoff selection, or disciplinary action. Written into HR policy + DPA scope.", "type": "organisational", "gdpr_article": "Art. 5(1)(b)", "effort": "low", "score_before": 6, "score_after": 2, "justification": "Clear bright line; auditable."}, {"risk_id": "R-04", "measure": "Access control: HR business partners only; managers see retention recommendation, not raw score.", "type": "technical", "gdpr_article": "Art. 5(1)(f) + Art. 32", "effort": "medium", "score_before": 6, "score_after": 3, "justification": "Reduces opportunity for ad-hoc reuse."}], "score": 6, "residual_risk_score": 2}, {"id": "R-05", "likelihood": "significant", "likelihood_score": 3, "likelihood_justification": "Sentiment scoring is in PeopleFlow's standard pipeline; opaque to data subject by default.", "severity": "limited", "severity_score": 2, "severity_justification": "Indirect effect on career outcomes; recoverable if score is removed and human review applied.", "safeguards": [{"risk_id": "R-05", "measure": "Disable sentiment-on-manager-comments feature; if retained, expose the underlying classification to the employee on request with appeal route.", "type": "technical", "gdpr_article": "Art. 16 + Art. 22(3)", "effort": "low", "score_before": 6, "score_after": 2, "justification": "Either removes the input or makes it contestable."}, {"risk_id": "R-05", "measure": "Train managers on factual review-writing (vs. evaluative sentiment) so the underlying inputs are less amplified by sentiment scoring downstream.", "type": "organisational", "gdpr_article": "Art. 5(1)(d)", "effort": "low", "score_before": 4, "score_after": 2, "justification": "Reduces signal-to-noise."}], "score": 6, "residual_risk_score": 2}, {"id": "R-06", "likelihood": "maximum", "likelihood_score": 4, "likelihood_justification": "Sick-leave count is already in the planned feature set; if shipped as designed this risk is certain.", "severity": "significant", "severity_score": 3, "severity_justification": "Indirect special-category processing; sickness becomes a career penalty signal contrary to Recital 35 and Art. 9 carve-out scope.", "safeguards": [{"risk_id": "R-06", "measure": "Remove sick-leave count from the feature vector entirely; replace with role-tenure and engagement-survey opt-in signals.", "type": "technical", "gdpr_article": "Art. 9(1) + Art. 5(1)(c)", "effort": "low", "score_before": 12, "score_after": 3, "justification": "Eliminates the indirect Art. 9 processing path. Endorsed by DPO."}, {"risk_id": "R-06", "measure": "Document the feature-exclusion policy in the DPIA so future model retraining cannot silently re-add it.", "type": "organisational", "gdpr_article": "Art. 5(2) accountability", "effort": "low", "score_before": 6, "score_after": 2, "justification": "Prevents drift on next model version."}], "score": 12, "residual_risk_score": 2}, {"id": "R-07", "likelihood": "limited", "likelihood_score": 2, "likelihood_justification": "Vendor offers a DSAR endpoint; in practice latency and completeness for derived data (flight-risk score) are unknown.", "severity": "limited", "severity_score": 2, "severity_justification": "Recoverable through controller-side workflow; supervisory authority can compel.", "safeguards": [{"risk_id": "R-07", "measure": "Controller-hosted DSAR endpoint that proxies vendor and includes the flight-risk score + feature vector + logic explanation in the response.", "type": "technical", "gdpr_article": "Arts. 15–22", "effort": "medium", "score_before": 6, "score_after": 2, "justification": "Single accountable surface for employee requests."}, {"risk_id": "R-07", "measure": "DPA SLA: vendor responds within 14 days to DSAR forwards.", "type": "contractual", "gdpr_article": "Art. 28(3)(e)", "effort": "low", "score_before": 4, "score_after": 2, "justification": "Keeps controller inside the Art. 12(3) one-month window."}], "score": 4, "residual_risk_score": 2}, {"id": "R-08", "likelihood": "limited", "likelihood_score": 2, "likelihood_justification": "Vendor default; not adversarial.", "severity": "limited", "severity_score": 2, "severity_justification": "Storage limitation violation; magnifies impact of any other risk over time.", "safeguards": [{"risk_id": "R-08", "measure": "Reduce feature-vector retention from rolling 24m to rolling 12m; auto-purge stale vectors on a monthly job.", "type": "technical", "gdpr_article": "Art. 5(1)(e)", "effort": "low", "score_before": 4, "score_after": 2, "justification": "Aligns with proportionality assessment."}, {"risk_id": "R-08", "measure": "Document the retention rationale in the ROPA entry; review at every model retraining cycle.", "type": "organisational", "gdpr_article": "Art. 30", "effort": "low", "score_before": 4, "score_after": 2, "justification": "Demonstrable accountability."}], "score": 4, "residual_risk_score": 2}, {"id": "R-09", "likelihood": "significant", "likelihood_score": 3, "likelihood_justification": "Existing privacy notice is generic HR-vendor language; doesn't address Art. 22.", "severity": "limited", "severity_score": 2, "severity_justification": "Procedural breach with cascading effect on rights exercise, but readily remediable.", "safeguards": [{"risk_id": "R-09", "measure": "Updated privacy notice with a dedicated section on flight-risk processing: logic in plain language, significance, envisaged consequences, contestation process.", "type": "organisational", "gdpr_article": "Arts. 13(2)(f) + 14(2)(g)", "effort": "low", "score_before": 6, "score_after": 2, "justification": "Direct statutory obligation."}, {"risk_id": "R-09", "measure": "Layered notice: short summary card surfaced in HR portal at first login; detailed annex for download.", "type": "organisational", "gdpr_article": "Art. 12(1)", "effort": "low", "score_before": 4, "score_after": 2, "justification": "Meets transparency in concise + intelligible form."}], "score": 6, "residual_risk_score": 2}, {"id": "R-10", "likelihood": "maximum", "likelihood_score": 4, "likelihood_justification": "DE Betriebsrat already objected; deployment without Betriebsvereinbarung is non-starter.", "severity": "significant", "severity_score": 3, "severity_justification": "Supervisory authority can order halt; collective action; reputational damage internally.", "safeguards": [{"risk_id": "R-10", "measure": "Negotiate Betriebsvereinbarung covering data categories, retention, access, and Art. 22 safeguards before any DE go-live. Mirror for NL OR.", "type": "organisational", "gdpr_article": "Art. 88 + BDSG §26", "effort": "high", "score_before": 12, "score_after": 4, "justification": "Statutory pre-requisite in DE; substantial in NL."}, {"risk_id": "R-10", "measure": "SE jurisdiction proceeds in parallel only after SE union (Unionen) sign-off on the score reasoning + opt-out mechanism.", "type": "organisational", "gdpr_article": "Art. 88 + Diskrimineringslagen", "effort": "medium", "score_before": 9, "score_after": 4, "justification": "SE collective-agreement culture expects union review."}], "score": 12, "residual_risk_score": 4}, {"id": "R-11", "likelihood": "limited", "likelihood_score": 2, "likelihood_justification": "PeopleFlow has a sub-processor notification mechanism; risk is mainly notification-window lag.", "severity": "limited", "severity_score": 2, "severity_justification": "Recoverable; documentary breach unless the new sub-processor introduces a separate risk.", "safeguards": [{"risk_id": "R-11", "measure": "DPA clause requiring 30-day prior notice of sub-processor changes with controller's right to object; objection-without-resolution = termination right.", "type": "contractual", "gdpr_article": "Art. 28(2) + 28(4)", "effort": "low", "score_before": 4, "score_after": 2, "justification": "Preserves chain of accountability."}, {"risk_id": "R-11", "measure": "Quarterly sub-processor review by the DPO; cross-check against EDPB Recommendations + DPF list status.", "type": "organisational", "gdpr_article": "Art. 5(2)", "effort": "low", "score_before": 4, "score_after": 2, "justification": "Catches drift."}], "score": 4, "residual_risk_score": 2}, {"id": "R-12", "likelihood": "limited", "likelihood_score": 2, "likelihood_justification": "Vendor offers an audit log; controller has not yet validated coverage on per-employee score-access events.", "severity": "limited", "severity_score": 2, "severity_justification": "Limits ability to evidence misuse; weakens Art. 5(2) defensibility.", "safeguards": [{"risk_id": "R-12", "measure": "Enable per-employee, per-actor access logs on flight-risk score views; ship logs to controller SIEM via daily export.", "type": "technical", "gdpr_article": "Art. 5(1)(f) + Art. 32(1)(d)", "effort": "medium", "score_before": 4, "score_after": 2, "justification": "Auditable + tamper-evident on the controller side."}, {"risk_id": "R-12", "measure": "Quarterly access-log review by the DPO; sampling-based anomaly check.", "type": "organisational", "gdpr_article": "Art. 5(2)", "effort": "low", "score_before": 4, "score_after": 2, "justification": "Catches unauthorised lookups."}], "score": 4, "residual_risk_score": 2}], "risk_matrix_summary": {"low": 12, "medium": 0, "high": 0, "critical": 0}, "data_subject_views": {"method": "Works-council briefing in DE (Betriebsrat) and NL (OR); anonymous employee survey in SE (n=312 responses, 26% response rate); 1-hour Q&A with employee-representative group across all three jurisdictions.", "sought": true, "summary": "DE Betriebsrat objected to flight-risk profiling on Mitbestimmungspflicht grounds (BetrVG §87). NL OR requested clarification of human-review mechanism. SE survey: 71% uncomfortable with sentiment-on-manager-comments; 84% wanted opt-out; 92% wanted access to their score and reasoning. Cross-cutting themes: distrust of black-box scoring, concern about sick-leave used as a flight-risk signal, request for explicit human override."}, "consultation_assessment": {"consultation_basis": "After mitigation, no residual risk scores at or above 9 on the 1–16 scale and no residual band reaches 'maximum'. Highest residual is R-02 (discriminatory profiling) at 6 — controllable via the documented Art. 22 safeguards. Mitigation completion is the precondition. Pre-mitigation, R-06 (sick-leave feature) and R-10 (DE works-council) would have triggered Article 36. Mitigation R-06 is a hard pre-requisite — if not implemented, the workflow recommends prior consultation.", "residual_high_risks": [{"risk_id": "R-02", "score_after": 6, "why_still_high": "Bias-mitigation effectiveness only verifiable post-deployment via the published fairness audit; controller commits to quarterly re-audit and an Art. 22 human-review override."}, {"risk_id": "R-03", "score_after": 6, "why_still_high": "Schrems II posture cannot be reduced below 6 through controller-side measures alone; reliant on DPF stability + supplementary technical measures."}], "consultation_required": false, "member_state_triggers": [{"trigger": "BDSG §67 (mandatory DPIA list for employee monitoring) — satisfied by completing this DPIA; no separate Art. 36 trigger fires post-mitigation.", "jurisdiction": "DE"}, {"trigger": "AP Besluit DPIA-plichtig (employee monitoring large-scale) — satisfied; no Art. 36 trigger post-mitigation.", "jurisdiction": "NL"}, {"trigger": "IMY does not maintain a separate mandatory consultation list; EDPB criteria apply.", "jurisdiction": "SE"}], "member_state_triggers_checked": true, "transfer_compliance": [{"note": "US is not adequate. SCCs alone insufficient post-Schrems II; supplementary measures bridge the gap. DPF self-certification by PeopleFlow noted as a parallel mechanism but TIA covers both paths.", "adequate": false, "mechanism": "Module 2 SCCs (2021/914) + supplementary measures (encryption at rest with EU-held keys, pseudonymisation pre-transfer) + TIA documented", "destination": "US (PeopleFlow)"}, {"note": "Same Schrems II posture. Encryption-at-rest with controller-held KMS keys mitigates.", "adequate": false, "mechanism": "SCCs flow-through under Art. 28(4); AWS DPA includes Module 3 SCCs", "destination": "US (AWS us-east-1 sub-processor)"}, {"note": "Mitigation R-06 (drop sick-leave + remove sentiment scoring) reduces what crosses the boundary to this processor; final approval pending TIA addendum.", "adequate": false, "mechanism": "Pending sub-processor approval; SCCs flow-through under Art. 28(4)", "destination": "US (Analytics Inc. sub-processor)"}], "processor_compliance": [{"gap": "DPA covers Art. 28(3)(a-h) but Annex II TOMs need refresh to reflect supplementary technical measures from R-03 mitigation; sub-processor list to include analytics-pipeline vendor explicitly.", "country": "US", "processor": "PeopleFlow Inc.", "dpa_in_place": true, "art28_required": true}, {"gap": "Flow-through via PeopleFlow's AWS contract; AWS DPA + Module 3 SCCs cover. Verify AWS region pinning to us-east-1 only — no copy-out.", "country": "US", "processor": "AWS (us-east-1)", "dpa_in_place": true, "art28_required": true}, {"gap": "Sub-processor DPA not yet signed. Block go-live until DPA + SCCs flow-through executed and TIA addendum complete.", "country": "US", "processor": "Analytics Inc.", "dpa_in_place": false, "art28_required": true}]}, "jurisdiction_findings": [], "assumptions": [], "client_questions": [], "citation_provenance": []}