Legal – foxondo

ChatGPT, DeepL, and friends in foxondo: How to document AI software in existing IT processes.

Nora — Wed, 29 Apr 2026 07:02:47 +0000

Everyone is talking about artificial intelligence, but in data protection documentation there is a lot of uncertainty around its usage. With foxondo, the solution is simple, and you do not need to reinvent the wheel. Today we will show you how to integrate AI software into your existing IT infrastructure and processes while staying compliant with all privacy requirements – from DPAs to third country transfers.

Where in foxondo should AI services be documented?

In most companies, AI tools are provided as general working tools. That’s why we think they are best documented in the process “Provision of operational IT infrastructure”. Instead of creating a new process, you can simply add this building block in your record of processing activities (RoPA, i.e. the “Processes” module in foxondo). This applies to all AI tools intended for general use, such as ChatGPT and CoPilot, which are used across various company departments.

There are exceptions:

If the AI tool is only used in a very specific process (for example, e.g. a chatbot that assists HR with shortlisting candidates for vacant position), then the documentation of this tool should be added to that specific process.

You should describe the usage of the AI tool in the following foxondo questions:

Systems and software

List the AI applications you use (for example ChatGPT or Microsoft Copilot) in the text field. Ideally, you would also add a short description of the intended purpose.

Legal basis and purpose

Check if the original purpose of the process also includes AI usage or if this needs to be added.

Data transfer to third countries

Many AI service providers are not located in the EU. Use the corresponding questions in foxondo to document the data transfer (keyword: data privacy framework or standard contractual clauses).

Data processing agreements

Indicate whether a data processing agreement exists for each tool. This is usually the case, especially in enterprise software. This must be documented in foxondo.

What else is important?

Depending on the application of the AI tool, a new data protection impact assessment may be required, or the existing one may need to be updated.

If you have any questions on the documentation of AI tools in foxondo, we would be happy to help. Contact us at info@foxondo.com.

Update on ‘Storage and deletion’ in the personnel management process

Nora — Mon, 24 Nov 2025 14:19:12 +0000

Why was this process changed?

In the Process of personnel management, the requirements for storage and deletion differ significantly depending on whether a person is currently employed or has already left the company. What can or even must be stored about whom, and for how long?

In the past structure of foxondo, we queried individual data categories of employees and former employees. The answers to these questions should have been different, (as a company should usually store less data on former employees than their employees). However, in practice answers did not differ significantly and the same data categories were chosen twice.

We started considering how we could improve the question of retention periods and deletion requirements in personnel management.

What have we changed?

We have replaced the questions about data categories for former employees, questions about retention periods and questions about the implementation of deletion requirements with new, clearly defined questions.

We now focus on two areas:

Which data is continuously deleted during the employment relationship?

and

What data is deleted after the end of the employment relationship?

Here you can specify, as an example, the different types of data and documents that are subject to a statutory deletion period.

Transfer of previous content

We have automatically transferred the content from the previous questions to the new questions (PHR-300 & PHR-305), where technically possible and appropriate. If content has been transferred, the questions have been given the status ‘changed’ (blue).

The new questions now cover the content in much more detail: please take a look and add any information where necessary.

As always, we welcome your feedback!

Cooperation with external parties is now easier to document

Nora — Fri, 14 Nov 2025 14:18:24 +0000

Why was this change made?

In the previous structure, the same information was required in more than one questions – for example, which external bodies have access to data and which external parties are involved in process. This occasionally led to similar answers and overlap.

By combining the two questions, we have standardized and simplified this area. Now you will provide all relevant information on cooperation with other organizations in one question on ‘Cooperation with external parties’ (PG-360 | PHR-360).

What exactly is changing?

We have removed the previous question ‘External access possibilities’ and incorporated its content into the question on ‘Cooperation with external parties’. You will find any previous content there and, if applicable, in the applicable follow-up questions.

This allows you to record the following in one place:

Whether data is processed by others on your behalf (commissioned data processing),
Whether a joint controllership exists, and
Which other external parties are involved.

You can now see at a glance who is involved in the processing, without having to enter the information twice.

What should you do now?

The good news is most users do not need to do anything; we have transferred the information for you.

We simply recommend taking a quick look at the merged question (PG-360 | PHR-360) and any applicable follow-up questions to ensure that all information has been transferred correctly and to add or clarify it if necessary.

This adjustment makes foxondo even easier to use – without any loss of information, but with greater clarity and efficiency in your documentation.

New question in the module “Processes”

Nora — Thu, 06 Nov 2025 14:17:30 +0000

The general measures applicable within the company for the protection of personal data are documented in the Data Security Module (TOMs).

Previously, foxondo had a question in each process on whether “only” the information in the data security module applied, or if additional measures had been implemented to protect the personal data.

Additionally, each process had a question about the pseudonymization of data.

The new question combines this information and directly asks: Are the existing protective measures appropriate for the level of protection which the personal data in the specific process requires?
For example, the more sensitive the data processed is, the higher the protection requirements are.

In the new question, you can document directly in the text field whether there are any additional measures – and whether the measures overall are appropriate, considering the protection requirements the personal data requires.

What does this mean for working in foxondo?

Any information documented in the pervious questions has been moved to the new question. Its status is now “changed” (blue).
If the two questions have not yet been answered, the new question is still ‘not yet answered’ (grey).

Have a look at foxondo when you get the chance: you know your own processes best and our best guess is you can answer the new question with ease.

Update for processors

Nora — Thu, 11 Sep 2025 13:15:00 +0000

If you are familiar with this topic, you have probably already documented the services you provide as a processor in a clear and orderly manner. These could be found in foxondo under the module ‘Contractual agreements’.

We have now moved them to the top navigation level, so you need fewer clicks to get there.

And if you are only realizing now that that you may be a data processor and have not yet documented these processes, then this is a good opportunity to do so.

By the way: In the CNIL’s guide for processors, the obligation to maintain a record of the clients and to describe the processing carried out on their behalf is one of the first obligations mentioned.

So it’s best to take care of this before anyone asks – fortunately, foxondo makes it easy and requires little effort.

Will the EU-U.S. Data Privacy Framework soon be cancelled?

Nora — Fri, 14 Mar 2025 14:00:00 +0000

Transatlantic data protection may be facing a new challenge: under US President Trump, the existing legal framework is being weakened rather than strengthened. This can be seen, among other things, from the fact that he has initiated a review of executive orders issued by his predecessor in office and has dismissed members of a supervisory body that is jointly responsible for compliance with the TADPF.

What does it mean if the TADPF is cancelled as a legal basis?

To date, there are two main ways of transferring personal data to the USA in a legally compliant manner:

Conclusion of EU standard contractual clauses (SCC): A tried and tested method of agreeing an appropriate level of data protection between contractual partners.
Self-certification in accordance with the TADPF: Data exchange with US companies that declare themselves to be compliant with EU data protection standards also fulfils the requirements.

Should the TADPF become invalid, all data transfers based on it would be unlawful (as was already the case with its predecessors Privacy Shield and Safe Harbour). This means that companies would then have to act quickly in order to remain GDPR-compliant.

It is unclear how likely this case is. However, companies could already consider the possible consequences and prepare alternative solutions.

How can well-maintained data protection documentation support you in this?

With foxondo you can prepare this case quickly and efficiently:

1. Identification of affected contracts

By filtering for the tags ‘third country’ + ‘legal basis’, you can easily find the relevant places in foxondo and thus identify those data processing operations in your documentation that are based on the TADPF.

You could, for example, mark these questions with the status ‘in progress’ or ‘action required’ and enter a comment that a changeover to SCCs is being examined.

2. Checking and adapting contractual bases

Check whether you can conclude EU standard contractual clauses with your service providers.

Important: Do not forget to document this change in foxondo accordingly.

3. Transfer Impact Assessment (TIA)

If a changeover to SCCs is possible, the Transfer Impact Assessment (TIA), in which the risks of data transfers to the USA are to be assessed, must be recreated. This also applies if the TADPF is cancelled.

The best way to do this is to contact your data protection officer or get in touch with us: we will be happy to support you.

Is there another alternative?

If a change of service provider is an option for you, it is best to choose a provider from the EU. You can find an overview of alternatives for digital services and cloud products here, for example: https://european-alternatives.eu/de

Do you have any questions?
Then please get in touch with us at info@foxondo.com.

Legal basis according to GDPR: Concretisation in foxondo

Nora — Tue, 18 Feb 2025 13:58:11 +0000

Improvements to the legal basis question in foxondo

We have improved foxondo questions for you! In the data protection context, the question about the legal basis for processing personal data can be answered with even more precision.

To make it easier for you to understand why we did this, we would like to take a closer look at the topic of legal basis here.

Ground rule Nr. 1: Nothing happens without Art. 6 of the GDPR!

If you want to process personal data, you absolutely must have a legal basis from Art. 6 GDPR for each process. These are:

Consent from the data subject
Performance of a contract or pre-contractual measures to which the data subject is party
Compliance with legal obligations (e.g. based on a law, regulation)
Protection of the data subject’s vital interests
Public interest or the exercise of official authority
Legitimate interests of the controller or a third party (after a legitimate interest assessment)

Do you process sensitive data?
Then Article 9 GDPR is also relevant!

Are you processing special categories of personal data such as health data or trade union membership?

Then, in addition to a legal basis from Article 6 of the GDPR, you also need a legal basis from Article 9 GDPR. This might be:

Regulations in the field of employment and social security and social protection law
Processing of data which the data subject has manifestly made public
Processing data for the establishment, exercise, or defense of legal claims
Processing data for the purposes of preventative or occupational medicine

Do you process data related to criminal convictions or offences?
Art. 10 GDPR sets strict limits!

Do you want to process data on criminal convictions or offenses? In this scenario as well, Art. 6 GDPR alone is not sufficient. You need an additional special legal basis (in particular from national law). Without this, the processing is not permitted!

Here is an example: In the application process, a company wants to check the criminal records of applicants. Even if an employer may have a legitimate interest in hiring someone with no criminal record, this is generally not permissible.

But there are exceptions to this: depending on the specific area of responsibility, questions about criminal records relating to property (e.g. in the financial sector), politics (e.g. in the area of the protection of the constitution) or traffic violations (as in the case of professional drivers) may be asked.

And what have we improved in foxondo?

Where Art. 6, 9 and 10 GDPR were previously summarized into one question in foxondo there is now an individual question per relevant GDPR article.

The European Court of Justice has clarified that the legal bases must be applied all together rather than on or the other. The new structure takes this into account, ensuring that the company will always document a legal basis as per Art. 6 GDPR and can then apply the other legal bases where applicable.

Of course, you will be guided through this topic as usual without needing to know all behind-the-scenes details.

How does this affect your previous documentation?

Don’t worry, we have automatically restructured the answers you have already provided! Nothing has been lost.

However, if you had previously only documented legal bases as per Art. 9 or 10, you will now notice that the legal basis per Art. 6 is still missing for this processing.

Therefore, we kindly ask you to check the legal basis for your processing activities or have your DPO check them.

Tip: The quickest way to find the questions about legal bases in foxondo is to filter for the tag “legal basis”.