Client DPIA template — Natalia Analytics
A pre-filled Data Protection Impact Assessment template you can hand to your DPO. Triggered above ~5000 phone lines (CNIL threshold for systematic monitoring of work).
1. Description of the processing
Nature of processing: collection, storage and analysis of phone call metadata (CDR) generated by the Alcatel OXE / OXO PBX of the organisation.
Scope: [to complete: number of phone lines, geographical perimeter, departments concerned]
Categories of data: phone numbers (internal and external), date and time of calls, durations, direction (in/out), redirections, trunk identifiers.
Categories of data subjects: employees of the Controller, third parties calling or being called.
Retention period: [to complete: typically 12 months for raw CDR, 36 months for aggregated KPIs. Recommended max: 5 years (Natalia Large profile).]
Recipients: HR department (anonymised aggregates), IT operations (raw CDR for troubleshooting), management (KPIs).
Sub-processors: strict disconnected mode: none. Connected mode: Natalia SAS + Gemini (Google Ireland eu-west). Support 72h: ad-hoc Natalia SAS during the intervention only.
2. Necessity & proportionality
Legal basis (art.6): [most common: legitimate interest (art.6-1-f) for IT operations and capacity planning. For HR uses, consult employee representatives and document the proportionality.]
Purposes: [detail each purpose. Avoid aggregating heterogeneous purposes under a single basis.]
Data minimisation: phone numbers are pseudonymised by tenant in the Software, only the necessary metadata are collected, raw audio is never processed.
Storage limitation: [document the retention period for each category of data and the deletion procedure at the end of the period.]
3. Risks to data subjects
| Risk | Likelihood | Severity | Notes |
|---|---|---|---|
| Re-identification of employees through call patterns | Medium | High | CDR remains identifiable even with pseudonymised external numbers. |
| Inappropriate HR monitoring | Medium | High | Aggregated KPIs may be misused to assess individual performance. |
| Data breach (external attack) | Low | High | On-prem appliance behind customer firewall, reduced attack surface. |
| Internal abuse (admin) | Medium | Medium | Mitigated by immutable audit log + auditor role separation. |
| Sub-processor LLM leak (connected mode) | Low | High | Mitigated by 0-day retention contractual + no training on prompts. |
4. Mitigation measures
- Tenant-side pseudonymisation of phone numbers, per-tenant salt.
- Role-based access control (4 roles: viewer, admin, auditor, integrator). Auditor role untouchable by admin.
- Immutable audit log with hash chain (tamper-evident).
- On-prem appliance, no remote control by Natalia in strict disconnected mode.
- Documented information of employees (art.13 GDPR) before activation of the processing, consultation of employee representatives where required by law.
- Strict separation between IT operations purposes and HR analytics purposes (separate roles, separate dashboards, separate retention).
- Periodic review of the DPIA (recommended every 12 months or after any major scope change).
Validation
DPO : [name, date, signature]
IT security manager: [name, date, signature]
HR director (if applicable): [name, date, signature]
Next review date: [date]