DPIA-DFD

DPIA Data Flow Diagrams - Appendix A Summary

This document provides an overview of the Data Flow Diagrams (DFDs) created for the Data Protection Impact Assessment (DPIA) Appendix A for Microsoft’s Commerce Financial Platforms (CFP).

Diagram Index

1. High Level Overview - A comprehensive view of all personal data flows in CFP
   • Direct DFD SVG
   • Direct Sequence Diagram SVG
2. Transaction Processing Detail - Detailed focus on payment and transaction processing
   • Direct DFD SVG
   • Direct Sequence Diagram SVG
3. Data Retention & Deletion - Lifecycle management of personal data including retention and deletion
   • Direct DFD SVG
   • Direct Sequence Diagram SVG
4. External Data Sharing - Cross-boundary data transfers to third parties
   • Direct DFD SVG
   • Direct Sequence Diagram SVG
5. User Journey Perspective - Typical user experience and data flow from a customer’s perspective
   • Direct DFD SVG
   • Direct Sequence Diagram SVG

HTML Version

For easier viewing, an HTML version of these diagrams is available:

➡️ View Interactive HTML Diagrams Online

You can also view locally by opening the HTML_Pages/index.html file in your browser to access:

• Interactive navigation between diagrams
• Mobile-friendly responsive layout
• Improved readability and accessibility

Diagram Usage Instructions

Each diagram file contains:

• A Mermaid-based flowchart visualizing the data flows
• A legend explaining the diagram elements and notation
• Key data protection elements highlighted in each process

Viewing the Diagrams

The diagrams are created using Mermaid markdown syntax. There are several ways to view them:

1. VS Code: Install the “Mermaid Preview” extension to view the diagrams directly in VS Code
2. Online Mermaid Editor: Copy the code into https://mermaid.live/ to view and edit
3. Documentation Integration: The Mermaid syntax can be directly embedded in many documentation platforms including GitHub, GitLab, and Confluence

Customizing the Diagrams

The diagrams can be customized to reflect specific implementation details:

• Data store locations can be updated to reflect actual datacenter regions
• Retention periods can be adjusted based on specific legal requirements
• Additional controls or security measures can be added as they’re implemented

Guide for Non-Technical Stakeholders

For stakeholders who may not be familiar with technical diagrams:

1. Start with the “High Level Overview” diagram to understand the complete flow
2. Each arrow represents data moving from one system to another
3. The text on each arrow describes what personal data is transferred
4. Cylinders represent databases where personal data is stored
5. Dotted lines show the boundary between Microsoft and external systems
6. Notes describe important security and data protection measures

Compliance Alignment

These diagrams have been designed to address key requirements from data protection regulations:

• GDPR Article 30: Documentation of processing activities
• GDPR Article 32: Security of processing
• GDPR Article 35: Data protection impact assessment
• CCPA/CPRA: Disclosure of data handling practices
• ISO 27001: Information security management controls

Next Steps

1. Review diagrams with key stakeholders from Legal, Privacy, and Engineering
2. Update diagrams as necessary based on feedback
3. Ensure all data flows are accurately represented
4. Incorporate into the final DPIA documentation
5. Establish a process for keeping diagrams updated as the system evolves