breakpilot-core/bpmn-processes/dsr-request.bpmn

<?xml version="1.0" encoding="UTF-8"?>
<bpmn:definitions xmlns:bpmn="http://www.omg.org/spec/BPMN/20100524/MODEL"
                  xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI"
                  xmlns:dc="http://www.omg.org/spec/DD/20100524/DC"
                  xmlns:di="http://www.omg.org/spec/DD/20100524/DI"
                  xmlns:camunda="http://camunda.org/schema/1.0/bpmn"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                  id="Definitions_DSR"
                  targetNamespace="http://breakpilot.de/bpmn/dsr">

  <bpmn:process id="DSRRequestProcess" name="Data Subject Request (GDPR)" isExecutable="true">

    <!-- Start Event -->
    <bpmn:startEvent id="start" name="DSR eingereicht">
      <bpmn:outgoing>flow_to_validate</bpmn:outgoing>
    </bpmn:startEvent>

    <!-- Service Task: Anfrage validieren -->
    <bpmn:serviceTask id="validate_request" name="Anfrage validieren" camunda:delegateExpression="${validateDSRDelegate}">
      <bpmn:incoming>flow_to_validate</bpmn:incoming>
      <bpmn:outgoing>flow_to_validation_gateway</bpmn:outgoing>
    </bpmn:serviceTask>

    <!-- Gateway: Anfrage gueltig? -->
    <bpmn:exclusiveGateway id="validation_gateway" name="Anfrage gueltig?">
      <bpmn:incoming>flow_to_validation_gateway</bpmn:incoming>
      <bpmn:outgoing>flow_valid</bpmn:outgoing>
      <bpmn:outgoing>flow_invalid</bpmn:outgoing>
    </bpmn:exclusiveGateway>

    <!-- Service Task: Anfrage ablehnen -->
    <bpmn:serviceTask id="reject_request" name="Anfrage ablehnen" camunda:delegateExpression="${rejectDSRDelegate}">
      <bpmn:incoming>flow_invalid</bpmn:incoming>
      <bpmn:outgoing>flow_to_reject_end</bpmn:outgoing>
    </bpmn:serviceTask>

    <!-- End Event: Abgelehnt -->
    <bpmn:endEvent id="end_rejected" name="DSR abgelehnt">
      <bpmn:incoming>flow_to_reject_end</bpmn:incoming>
    </bpmn:endEvent>

    <!-- Gateway: Request-Typ -->
    <bpmn:exclusiveGateway id="type_gateway" name="Request-Typ?">
      <bpmn:incoming>flow_valid</bpmn:incoming>
      <bpmn:outgoing>flow_access</bpmn:outgoing>
      <bpmn:outgoing>flow_deletion</bpmn:outgoing>
      <bpmn:outgoing>flow_portability</bpmn:outgoing>
      <bpmn:outgoing>flow_rectification</bpmn:outgoing>
    </bpmn:exclusiveGateway>

    <!-- Sub-Process: Daten-Zugang (Art. 15) -->
    <bpmn:subProcess id="access_subprocess" name="Daten-Zugang (Art. 15)">
      <bpmn:incoming>flow_access</bpmn:incoming>
      <bpmn:outgoing>flow_access_done</bpmn:outgoing>

      <bpmn:startEvent id="access_start" />

      <bpmn:serviceTask id="collect_data" name="Daten sammeln" camunda:delegateExpression="${collectUserDataDelegate}" />

      <bpmn:serviceTask id="anonymize_data" name="Daten anonymisieren" camunda:delegateExpression="${anonymizeDataDelegate}" />

      <bpmn:userTask id="review_data" name="Daten pruefen" camunda:candidateGroups="data_protection_officer">
        <bpmn:extensionElements>
          <camunda:formData>
            <camunda:formField id="dataComplete" label="Daten vollstaendig" type="boolean" />
            <camunda:formField id="sensitivePII" label="Sensible PII entfernt" type="boolean" />
          </camunda:formData>
        </bpmn:extensionElements>
      </bpmn:userTask>

      <bpmn:serviceTask id="prepare_export" name="Export vorbereiten" camunda:delegateExpression="${prepareExportDelegate}" />

      <bpmn:endEvent id="access_end" />
    </bpmn:subProcess>

    <!-- Sub-Process: Daten-Loeschung (Art. 17) -->
    <bpmn:subProcess id="deletion_subprocess" name="Daten-Loeschung (Art. 17)">
      <bpmn:incoming>flow_deletion</bpmn:incoming>
      <bpmn:outgoing>flow_deletion_done</bpmn:outgoing>

      <bpmn:startEvent id="deletion_start" />

      <bpmn:serviceTask id="identify_data" name="Daten identifizieren" camunda:delegateExpression="${identifyUserDataDelegate}" />

      <bpmn:userTask id="approve_deletion" name="Loeschung genehmigen" camunda:candidateGroups="data_protection_officer">
        <bpmn:extensionElements>
          <camunda:formData>
            <camunda:formField id="legalRetention" label="Aufbewahrungspflicht?" type="boolean" />
            <camunda:formField id="deletionApproved" label="Loeschung genehmigt" type="boolean" />
          </camunda:formData>
        </bpmn:extensionElements>
      </bpmn:userTask>

      <bpmn:serviceTask id="execute_deletion" name="Daten loeschen" camunda:delegateExpression="${executeDataDeletionDelegate}" />

      <bpmn:serviceTask id="verify_deletion" name="Loeschung verifizieren" camunda:delegateExpression="${verifyDeletionDelegate}" />

      <bpmn:endEvent id="deletion_end" />
    </bpmn:subProcess>

    <!-- Sub-Process: Daten-Portabilitaet (Art. 20) -->
    <bpmn:subProcess id="portability_subprocess" name="Daten-Portabilitaet (Art. 20)">
      <bpmn:incoming>flow_portability</bpmn:incoming>
      <bpmn:outgoing>flow_portability_done</bpmn:outgoing>

      <bpmn:startEvent id="portability_start" />

      <bpmn:serviceTask id="collect_portable_data" name="Portable Daten sammeln" camunda:delegateExpression="${collectPortableDataDelegate}" />

      <bpmn:serviceTask id="format_data" name="Daten formatieren (JSON)" camunda:delegateExpression="${formatPortableDataDelegate}" />

      <bpmn:endEvent id="portability_end" />
    </bpmn:subProcess>

    <!-- Sub-Process: Berichtigung (Art. 16) -->
    <bpmn:subProcess id="rectification_subprocess" name="Berichtigung (Art. 16)">
      <bpmn:incoming>flow_rectification</bpmn:incoming>
      <bpmn:outgoing>flow_rectification_done</bpmn:outgoing>

      <bpmn:startEvent id="rectification_start" />

      <bpmn:userTask id="review_rectification" name="Berichtigung pruefen" camunda:candidateGroups="data_protection_officer" />

      <bpmn:serviceTask id="apply_rectification" name="Daten berichtigen" camunda:delegateExpression="${applyRectificationDelegate}" />

      <bpmn:endEvent id="rectification_end" />
    </bpmn:subProcess>

    <!-- Gateway: Zusammenfuehrung -->
    <bpmn:exclusiveGateway id="merge_gateway">
      <bpmn:incoming>flow_access_done</bpmn:incoming>
      <bpmn:incoming>flow_deletion_done</bpmn:incoming>
      <bpmn:incoming>flow_portability_done</bpmn:incoming>
      <bpmn:incoming>flow_rectification_done</bpmn:incoming>
      <bpmn:outgoing>flow_to_notify</bpmn:outgoing>
    </bpmn:exclusiveGateway>

    <!-- Service Task: Betroffenen benachrichtigen -->
    <bpmn:serviceTask id="notify_subject" name="Betroffenen benachrichtigen" camunda:delegateExpression="${notifyDataSubjectDelegate}">
      <bpmn:incoming>flow_to_notify</bpmn:incoming>
      <bpmn:outgoing>flow_to_audit</bpmn:outgoing>
    </bpmn:serviceTask>

    <!-- Service Task: Audit Log -->
    <bpmn:serviceTask id="create_audit" name="Audit Log erstellen" camunda:delegateExpression="${createAuditLogDelegate}">
      <bpmn:incoming>flow_to_audit</bpmn:incoming>
      <bpmn:outgoing>flow_to_end</bpmn:outgoing>
    </bpmn:serviceTask>

    <!-- End Event -->
    <bpmn:endEvent id="end" name="DSR abgeschlossen">
      <bpmn:incoming>flow_to_end</bpmn:incoming>
    </bpmn:endEvent>

    <!-- Boundary Timer: 30-Tage GDPR Frist -->
    <bpmn:boundaryEvent id="gdpr_deadline" attachedToRef="access_subprocess" cancelActivity="false">
      <bpmn:timerEventDefinition>
        <bpmn:timeDuration>P25D</bpmn:timeDuration>
      </bpmn:timerEventDefinition>
      <bpmn:outgoing>flow_deadline_escalation</bpmn:outgoing>
    </bpmn:boundaryEvent>

    <!-- Service Task: Eskalation an DSB -->
    <bpmn:serviceTask id="escalate_dsb" name="Eskalation an DSB" camunda:delegateExpression="${escalateToDSBDelegate}">
      <bpmn:incoming>flow_deadline_escalation</bpmn:incoming>
    </bpmn:serviceTask>

    <!-- Sequence Flows -->
    <bpmn:sequenceFlow id="flow_to_validate" sourceRef="start" targetRef="validate_request" />
    <bpmn:sequenceFlow id="flow_to_validation_gateway" sourceRef="validate_request" targetRef="validation_gateway" />
    <bpmn:sequenceFlow id="flow_valid" sourceRef="validation_gateway" targetRef="type_gateway">
      <bpmn:conditionExpression xsi:type="bpmn:tFormalExpression">${valid == true}</bpmn:conditionExpression>
    </bpmn:sequenceFlow>
    <bpmn:sequenceFlow id="flow_invalid" sourceRef="validation_gateway" targetRef="reject_request">
      <bpmn:conditionExpression xsi:type="bpmn:tFormalExpression">${valid == false}</bpmn:conditionExpression>
    </bpmn:sequenceFlow>
    <bpmn:sequenceFlow id="flow_to_reject_end" sourceRef="reject_request" targetRef="end_rejected" />
    <bpmn:sequenceFlow id="flow_access" sourceRef="type_gateway" targetRef="access_subprocess">
      <bpmn:conditionExpression xsi:type="bpmn:tFormalExpression">${requestType == 'access'}</bpmn:conditionExpression>
    </bpmn:sequenceFlow>
    <bpmn:sequenceFlow id="flow_deletion" sourceRef="type_gateway" targetRef="deletion_subprocess">
      <bpmn:conditionExpression xsi:type="bpmn:tFormalExpression">${requestType == 'deletion'}</bpmn:conditionExpression>
    </bpmn:sequenceFlow>
    <bpmn:sequenceFlow id="flow_portability" sourceRef="type_gateway" targetRef="portability_subprocess">
      <bpmn:conditionExpression xsi:type="bpmn:tFormalExpression">${requestType == 'portability'}</bpmn:conditionExpression>
    </bpmn:sequenceFlow>
    <bpmn:sequenceFlow id="flow_rectification" sourceRef="type_gateway" targetRef="rectification_subprocess">
      <bpmn:conditionExpression xsi:type="bpmn:tFormalExpression">${requestType == 'rectification'}</bpmn:conditionExpression>
    </bpmn:sequenceFlow>
    <bpmn:sequenceFlow id="flow_access_done" sourceRef="access_subprocess" targetRef="merge_gateway" />
    <bpmn:sequenceFlow id="flow_deletion_done" sourceRef="deletion_subprocess" targetRef="merge_gateway" />
    <bpmn:sequenceFlow id="flow_portability_done" sourceRef="portability_subprocess" targetRef="merge_gateway" />
    <bpmn:sequenceFlow id="flow_rectification_done" sourceRef="rectification_subprocess" targetRef="merge_gateway" />
    <bpmn:sequenceFlow id="flow_to_notify" sourceRef="merge_gateway" targetRef="notify_subject" />
    <bpmn:sequenceFlow id="flow_to_audit" sourceRef="notify_subject" targetRef="create_audit" />
    <bpmn:sequenceFlow id="flow_to_end" sourceRef="create_audit" targetRef="end" />
    <bpmn:sequenceFlow id="flow_deadline_escalation" sourceRef="gdpr_deadline" targetRef="escalate_dsb" />

  </bpmn:process>

  <!-- BPMN Diagram -->
  <bpmndi:BPMNDiagram id="BPMNDiagram_1">
    <bpmndi:BPMNPlane id="BPMNPlane_1" bpmnElement="DSRRequestProcess">
      <bpmndi:BPMNShape id="start_di" bpmnElement="start">
        <dc:Bounds x="152" y="252" width="36" height="36" />
      </bpmndi:BPMNShape>
      <bpmndi:BPMNShape id="validate_request_di" bpmnElement="validate_request">
        <dc:Bounds x="240" y="230" width="100" height="80" />
      </bpmndi:BPMNShape>
      <bpmndi:BPMNShape id="validation_gateway_di" bpmnElement="validation_gateway" isMarkerVisible="true">
        <dc:Bounds x="395" y="245" width="50" height="50" />
      </bpmndi:BPMNShape>
      <bpmndi:BPMNShape id="type_gateway_di" bpmnElement="type_gateway" isMarkerVisible="true">
        <dc:Bounds x="545" y="245" width="50" height="50" />
      </bpmndi:BPMNShape>
      <bpmndi:BPMNShape id="end_di" bpmnElement="end">
        <dc:Bounds x="1502" y="252" width="36" height="36" />
      </bpmndi:BPMNShape>
    </bpmndi:BPMNPlane>
  </bpmndi:BPMNDiagram>

</bpmn:definitions>