Data Protection Academy » Data Protection Wiki » Record of processing activities
Data protection according to GDPR
Record of processing activities
The General Data Protection Regulation (GDPR) requires companies to document all processing activities. Processing activities are operations in which personal data are processed. All processing activities must be documented in a directory, the recordof processing activities. In this article, we clarify who must keep a record of processing activities and what information it should contain.
Main information on the record of processing activities
- According to the General Data Protection Regulation (GDPR), companies must maintain a record of processing activities
- The record of processing activities documents all processing activities of a company
- Processing activities are operations in which personal data are processed
- The legal provisions on the record of processing activities are regulated in Article 30 GDPR
- Before the GDPR came into force, the register of processing activities was called the "register of procedures"
Content on the record of processing activities:
Whitepaper Implementing a record of processing activities in compliance with the GDPR
In the Directory of Processing Activities Implementing GDPR Compliant you will find:
- Get information on the record of processing activities and to Processing operations and personal data
- Learn who must keep a register of processing activities
- Learn which Information according to DSGVO must be included in the directory
- Including Examples of processing activities
- Including detailed Model for a completed processing activity
What are processing activities and what is a record of processing activities?
The record of processing activities is a written documentation of all processing activities of personal data. according to Art. 30 GDPR. Processing activities are processes in which personal data are collected, processed and stored.
Are there differences between the record of processing activities and the procedure directory?
The term "procedure directory" comes from the BDSG. and means an overview of the procedures used. With the replacement of the BDSG 2018 by the GDPR a renaming and minor adjustments were made.
One difference is that the differentiation between the internal and public record, as the BDSG provided for it, was dropped. In addition, since the GDPR, there is no longer an obligation to make the record accessible to data subjects; instead, they must be informed about the processing of their personal data. Essentially, this means that the procedure directory and the record of processing activities are the same thing.
Who must keep a record of processing activities in accordance with the GDPR?
The GDPR provides that both controllers and processors each create a VVT. Article 30 (1) of the GDPR regulates which information controllers must keep in their processing record.
As controller shall mean those persons who alone or jointly with others determine the purposes and means of the processing of personal data.
However, processors who process personal data on behalf of a controller must also draw up a processing record. In doing so, they must comply with the regulations of Art. 30 para. 2 GDPR.
Are there any exemptions from the obligation to keep the record of processing activities?
Article 30(5) of the GDPR waives the obligation to keep a processing record if undertakings or establishments employ fewer than 250 staff and
- the processing they carry out does not present a risk to the rights and freedoms of data subjects,
- the processing is only occasional,
- no processing of special categories of data according toArticle 9 (e.g. health data) or personal data. on criminal convictions and offences referred to inArticle 10takes place
What is the purpose of the record of processing activities?
The record of processing activities enables companies to comply with their documentation and accountability according to Art. 5 para. 2 GDPR. By maintaining a record processing activities, your company not only achieves transparency regarding the processing of personal data, but is also legally protected in the event of an audit by the data protection supervisory authorities.
What information is included in each processing activity?
According to Article 30(1) of the GDPR the controller is obliged to provide the following information on the processing activity:
- The purpose of the processing
- Categories of data subjects (e.g. applicants, customers)
- Categories personal data (e.g. contact, address data), especially if they are special categories such as health data.
- Categories of recipients of personal data (e.g. public authorities)
- In case of transfer to third countries: Indication of the third country or international organisation. You can find more information on this in the article Data transmission to third countries.
- Erasure periods, observing the retention periods
- Descriptions of the technical-organisational measures (TOMs) and/or reference to existing safety concept with TOMs
The mandatory disclosures by the processors are significantly reduced, so that information on the purpose of the processing, as well as the categories of persons, data and recipients are omitted. Instead, they must specify the categories of processing carried out on behalf of a controller.
Model for a completed processing activity
Designation | E-mail communication |
---|---|
Description | Internal and external communication via e-mail |
Applies at locations | Sample city 1, sample city 2 |
Applies in functional areas | All areas |
The Controller | Name of the managing director |
Legal basis | Art. 6 para. 1 lit b - GDPR Fulfilment of the subject matter of the contract Art. 6 para. 1 lit c - GDPR Fulfilment of a legal obligation Art. 6 para. 1 lit f - GDPR Protection of legitimate interests |
Justification of a legitimate interest | Communication and exchange of information with interested parties |
Parties concerned | Prospective customers, customers, employees, employees of an external contact, applicants and many more. |
Data types | E-mail (general), e-mail boxes, attachment (containing personal data) |
Categories of data | Address data, e-mail address, surname and first name, telephone number, etc. |
Risk assessment | No |
Technical and organisational measures | Use of mail encryption |
Examples of processing activities
Typical processes are:
- E-mail communication
- Document management
- Controlling
- Chat and messenger services
- Customer Relationship Management (CRM)
- Employee photos in public relations
- Payroll
- Travel expense report
- Video surveillance
How often does the list of processing activities need to be updated and reviewed?
In order to comply with the documentation and accountability obligation, it is necessary to regularly review the record of processing activities and keep it up to date. Accordingly, new processing activities must always be included in the processing record.
An up-to-dateness check should be carried out at regular intervals and all entries should be checked. The data protection conference also recommends that changes made in the record of processing activities should be made traceable with a storage period of one year.
What are the sanctions for not having a record of processing activities?
The record of processing activities can be requested by the competent supervisory authority at any time. If a missing or incomplete record of the VVT is found, fines may be imposed. These are set out in Art. 83 GDPR. and amount to up to € 10 million or up to 2% of the worldwide annual income (Art. 83 para. 4a).
In addition, it is possible that a breach of accountability under Art. 5 para. 2 is assumed. Significantly higher fines are to be expected.
Implementation and documentation of the record of processing activities with Robin Data ComplianceOS®
The Robin Data ComplianceOS® helps you to create your record of processing activities. In 4 simple steps, your company-specific directory is created in a data protection-compliant manner and quickly filled with processing activities.
If you are interested in the implementation and documentation of the Technical Organisational Measures with the Robin Data Software, you can download the individual articles in our Help Center or book free initial meetings .
1. Select branch
Based on your industry, the record of processing activities is automatically preconfigured for your company. This means that a large part of the work is already done, because the most important information for your industry is already stored.
2. Select processing activities
From the list of processing activities, select those that are carried out in your company. You can easily delete those that do not apply and add missing ones.
3. Process processing activities
You can easily edit the processing activities stored for your industry. A large part of the processing activities according to Article 30 GDPR required information is already stored. The rest is simply added with the help of a large selection of data.
4. Complete processing activities
New processing activities that are common in your industry are regularly proposed to you. So your record is always up-to-date.
- Internal control system - 10 September 2024
- TISAX requirements: Prepare certification step by step - 8 January 2024
- Audit management: Implementing audits more efficiently - 26 October 2023