Data Protection Impact Assessment
March 2026 · Assessor: Vilmer Frost, DPO · Review: Annual
1. Processing Activity Description
System: BatchCortex AI Batch Monitoring Platform
Purpose: Real-time monitoring and anomaly detection for pharmaceutical manufacturing batch processes, including automated deviation report generation and escalation management.
Data subjects: Pharmaceutical manufacturing operators, QA managers, Qualified Persons (QPs), and system administrators employed by or contracted to BatchCortex customers.
Personal data processed
| Data Category | Examples | Legal Basis | Retention |
|---|---|---|---|
| Identity data | Name, employee ID, role | Legitimate interest (GMP compliance) | Duration of account + 15 years (GMP requirement) |
| Contact data | Email, phone number (for escalation) | Legitimate interest (safety escalation) | Duration of account + 1 year |
| Authentication data | Hashed passwords, session tokens | Contract performance | Duration of account |
| Electronic signatures | Signer name, role, timestamp, signature meaning | Legal obligation (21 CFR Part 11, EU GMP Annex 11) | 15 years (GMP batch record retention) |
| Audit trail entries | Actor name, action, timestamp | Legal obligation (EU GMP Annex 11) | 15 years (GMP batch record retention) |
| System interaction data | Dashboard usage, feature access | Legitimate interest (product improvement) | 12 months, anonymized |
| PQR reports | Aggregate batch statistics, AI-generated summary and recommendations, QP sign-off | Legal obligation (EU GMP Chapter 1 §1.10, Chapter 4 §4.29) | 6 years after review period end (EU GMP minimum 5 years) |
Special category data: None. BatchCortex does not process health data, biometric data, or other special category data as defined in GDPR Article 9. Manufacturing process data (sensor readings, batch parameters) is not personal data.
2. Necessity and Proportionality
Why this processing is necessary
- EU GMP Annex 11 §7 mandates audit trails with user attribution for computerized systems in pharmaceutical manufacturing
- 21 CFR Part 11 requires electronic signatures with signer identification
- Safety escalation (contacting QA personnel during process deviations) requires contact data
- Regulatory retention periods (15 years for GMP batch records) are imposed by EU/national pharma law, not by BatchCortex
Proportionality measures
- Only minimum necessary personal data is collected (name, role, contact for escalation only)
- Sensor readings and batch process data are NOT linked to individual operators — they are equipment/process data
- Personal data is stripped from ML training datasets at ingestion
- No profiling, no automated individual decision-making, no marketing use
- Retention periods match regulatory requirements exactly — no longer
3. Risk Assessment
| Risk | Impact | Likelihood | Mitigation | Residual Risk |
|---|---|---|---|---|
| Unauthorized access to audit trails containing personal data | High | Low | RLS policies, role-based access, encrypted at rest (AES-256), TLS 1.3 in transit | Low |
| Data breach exposing operator contact details | Medium | Low | Encryption, access logging, 72h breach notification, minimal data collection | Low |
| Excessive retention of personal data | Medium | Low | Automated retention policies aligned to GMP requirements, documented deletion procedures | Low |
| Cross-border data transfer to non-EU jurisdiction | High | Low | All infrastructure EU-based, sub-processors bound by SCCs, no non-EU transfers | Low |
| AI system processing personal data without transparency | Medium | Low | AI processes batch data only, not personal data; all AI outputs labeled; SHAP explainability | Low |
| Sub-processor breach (Supabase, Twilio, etc.) | Medium | Low | Sub-processor DPAs in place, EU data residency confirmed, vendor security certifications reviewed | Low |
4. Measures to Address Risks
Technical measures
- AES-256 encryption at rest (Supabase managed)
- TLS 1.3 encryption in transit
- Row-Level Security (RLS) on all database tables, scoped to organization
- Immutable audit trail (database trigger prevents UPDATE/DELETE on events_log)
- SHA-256 hash chain on audit trail entries for tamper detection
- Session-based authentication with secure token handling
- Sentry error tracking configured to strip PII before transmission
Organizational measures
- Privacy Policy publicly available at batchcortex.com/legal/privacy
- DPA template available for all customers
- Sub-processor list publicly disclosed
- Data Subject Access Request process documented (30-day response)
- Data breach notification procedure: 72 hours to supervisory authority, without undue delay to affected data subjects
- Annual DPIA review cycle
Data minimization
- Contact data (phone) only collected for users in escalation chains — not all users
- ML model training uses only anonymized, aggregated process data
- No cookies collect personal data (see Cookie Policy)
- Personal data fields are not included in batch reports shared externally
5. Consultation
This DPIA will be submitted to qualified Swedish legal counsel for review. If residual risks are identified that cannot be mitigated, consultation with the Swedish Authority for Privacy Protection (IMY) will be initiated per GDPR Article 36.
6. Conclusion
The processing activities described present low residual riskto data subjects' rights and freedoms after implementation of the documented technical and organizational measures. The primary risk drivers (audit trail attribution, electronic signatures, escalation contacts) are mandated by pharmaceutical regulation, and the data minimization measures in place ensure proportionality.
This DPIA is a living document. Next review: September 2026 or upon material system change, whichever is earlier.
BatchCortex AB (i.o.) · Stockholm, Sweden · vilmer@batchcortex.com