Data Protection Officers prepare an activity report in accordance with the GDPR

Data protection according to GDPR

The activity report: template, example and content according to the GDPR

Data protection officers and data controllers must account for compliance with certain measures in the course of the General Data Protection Regulation (GDPR) or be able to prove their implementation. In order to prove the implementation of relevant activities in data protection, it is advisable to maintain an activity report. Activity reports are also significant in the event of a review by the data protection supervisory authority.

A meaningful activity report should be kept continuously and contain detailed information on legally required data protection measures. At first, this sounds complex and can also be time-consuming. However, there are now many digital solutions with which you can create an activity report as a summary of all activities carried out at the push of a button.

In the following article we inform you about the necessity of an activity report and its contents. We also present an effective digital solution for the preparation of an activity report.

Most important information about the activity report

  • The GDPR only contains an obligation for supervisory authorities to prepare an activity report, but there are many reasons for data protection officers and controllers to also prepare such a report
  • The activity report serves as a central record document and should contain all activities related to the accountability, verification and documentation obligations.
  • The activity report provides an overview of all current activities and tasks in the area of data protection and enables collaborative cooperation between all members of the data protection organisation
  • Digital management of an activity report is now possible and has many advantages

Whitepaper: Implementing the obligation to provide evidence in the activity report in conformity with the GDPR

Whitepaper on the GDPR-compliant activity report

In the white paper "Implementing the obligation to provide evidence in the activity report in compliance with the GDPR" you will find:

  • Get information on the definition and importance of the activity report
  • Understand the relationship between the evidence requirements of the GDPR and the activity report
  • Learn the contents of the activity report Know
  • Get important notes on implementation of the activity report
  • Learn how to work in only 6 Steps the activity report complete
  • Including examples of activities and categories of activities

Unfortunately this content is currently only available in German. Please feel free to contact us for more information.

Definition and importance: What is the activity report according to the GDPR?

The Activity report can be regarded as an internal audit report on the status of data protection in the company. This report is a written documentation of all important information about the current status of data protection as well as measures implemented. Responsible for the implementation of the activity report are the internal / external data protection officers in cooperation with other members of the data protection organisation.

In addition to the documentation of implemented measures, the activity report also highlights open points that are to serve as a basis for decision-making for the controller. By maintaining and documenting the activity report, the internal/external data protection officer fulfils the documentation obligation that management / the controller requires.

The activity report pursuant to General Data Protection Regulation is defined in Article 59 GDPR. According to the article, supervisory authorities are legally obliged to draw up an annual activity report. This report contains a list of the types of infringements reported and the types of measures taken according to Article 58 (2) GDPR.

There is therefore no legal obligation for data protection officers or data controllers to prepare an activity report. However, there are various advantages and reasons for preparing an activity report.

Fulfil verification and accountability obligations

Although there is no legal obligation for the controller to prepare an activity report, there are so-called accountability and verification obligations.

The accountability requirements are set out in Article 5 (2) GDPR and essentially oblige the controller to comply with the principles for the processing of personal data. Compliance with these principles must be verifiable and can be reviewed by data protection supervisory authorities. Such an audit focuses in particular on the obligation to keep a record of processing activities, the order processing contract, the technical organisational measures, the data protection impact assessment, the notification of a data protection officer, proof of employee training and the handling of data protection incidents.

The implementation of these requirements of the GDPR are to be understood as data protection activities. Evidence of GDPR-compliant implementation can and should be continuously incorporated into an activity report.

Provide evidence to supervisory authorities

Data protection supervisory authorities are legally obliged to monitor and enforce the application of the GDPR (Article 57 GDPR). Furthermore, the supervisory authorities have corresponding investigative powers that allow them to order controllers to provide information on the implementation of the requirements of the GDPR (Article 57 GDPR). Proof of the implementation of these requirements can be provided by data controllers and data protection officers by means of the activity report.

Fulfil the documentation requirements of the GDPR

In addition to the activity report and the accountability and evidence requirements, the GDPR contains further documentation obligations. The two most important documentation obligations are the obligation to keep the record of processing activities pursuant to Article 30 GDPR as well as the preparation of data protection impact assessments in accordance with Recital 90 of the GDPR.

Important component of the data protection management system

The compilation of data protection activities in a report is still an important part of establishing a functioning data protection management system. The various persons in the data protection organisation, such as the person responsible, the data protection officer or the data protection coordinator, maintain the status of individual data protection activities in this report. In this way, everyone involved maintains an overview of the status, processes and compliance with data protection. Data protection officers use the activity report to monitor the implementation of defined data protection guidelines. For their part, data protection officers can use the report to assess the performance of the (external) data protection officer.

Support in the implementation of the activity report

Translating the various legal and normative requirements into an activity report can seem complicated. Regular reviews and updates of your activity report help to optimise your compliance management system. Our data protection officers (DPOs) are happy to support you in implementing your activity report. Find out about the benefits, process and costs with Robin Data.

Contents of the activity report

The General Data Protection Regulation does not regulate in detail which contents an activity report must contain. However, it makes sense to include all activities related to the accountability and verification obligations in the report. This applies to all data protection measures carried out in the course of the current year:

  • Examination and appointment of a data protection officer
  • The status of the current processing activities in the company
  • All contracts for commissioned processing, confidentiality agreements, data protection incidents and all other points concerning data protection in the company.
  • The implementation of data protection guidelines such as non-disclosure agreements or the handling of data protection incidents
  • The current status of technical organisational measures (TOMs)
  • Instructions for staff on how to deal with defined TOMs
  • Implementation of data subject rights
  • Creation and status of the extinguishing concept
  • Training and awareness-raising measures carried out for employees

General information and content such as the contact details of the controller / data protection officer and the date of preparation of the activity report must also be included.

Distinction between activity reports and data protection reports

Data protection audit report

A Data Protection Audit reviews the implementation of data protection in the company and identifies potential for improvement. The result is evaluated in a report and concrete measures and responsibilities are defined. Part of the data protection audit report are the objectives, the scope, relevant criteria and the naming of the auditor. The main difference to the activity report is that an external auditor is commissioned to review the company's level of data protection, whereas the activity report is the main responsibility of the data protection officer.

Activity reports of the data protection supervisory authorities of the federal states

The data protection commissioners of the federal states as well as the federal data protection commissioner are obliged to publish an annual activity report according to Article 59 of the GDPR. This report is also handed over to the parliament as well as the government of the Land. The current activity reports can be found on the websites of the data protection supervisory authorities.

Notes on the implementation of the activity report

How can measures be documented?

The GDPR does not specify any concrete requirements for the preparation of an activity report. However, in the course of the obligation to provide evidence, a written documentation of the activities in the activity report makes sense. Maintaining the overview of the documentation of all relevant activities is the biggest challenge in preparing an activity report. For this reason there are automated and digital solutions for the implementation of the activity report by means of software. Implement your erasure concept with assistance and in accordance with the GDPR.

How often does the activity report need to be updated and reviewed?

In order to comply with the documentation and accountability obligations, it is necessary to regularly review and update the activity report and the activities it contains. However, it is sufficient to prepare an activity report annually.

Preparation of an activity report with Robin Data ComplianceOS®

Activity report template in Robin Data

Data protection is implemented in accordance with the applicable data protection laws (e.g. GDPR, BDSG.) and special regulations within the sector of an organisation. These legal requirements result in certain obligations for the responsible party, the implementation of which must often be proven. The implementation of these obligations takes place within activities that can be documented in Robin Data ComplianceOS®. You manage all these activities in the Robin Data Activity Manager.

The Robin Data compliance platform offers standardised template and samples in the form of forms that support you in creating activities. Important data can be entered or selected from Robin Data's extensive database using the drop-down menu. Store responsibilities and inform people by e-mail. Divide activities into categories, some of which are derived from data protection law (e.g. from the rights of data subjects) or arise from everyday work in data protection (e.g. through planned data erasures).

Should you be interested in the implementation and documentation of the activities with the Robin Data ComplianceOS®, you can find the individual steps in our Help Center or book free initial meetings .

Screenshot of the Activity Manager from Robin Data ComplianceOS

In 6 steps to the activity report with Robin Data

  • 1

    Create activity

    • Give the activity a title and description
    • Select an applicable category of activity from the Robin Data database
    • Store relevant information such as start date, deadline, input channel or the enquirer
    • Assign a status to the activity
  • 2

    Assign a responsible person to the activity

    • Select a controller from your data protection organisation
    • Define this person as the controller in the activity form
    • Inform this controller about the activity by e-mail
  • 3

    Define subtasks

    • Create further subtasks for the activity
    • Assign these to persons from your data protection organisation
  • 4

    Continue activity

    • Continue to work collaboratively on the activity
    • Update the status or change the responsibility
    • Add further relevant content such as attachments, external links or linked documents
  • 5

    Manage all activities in the activity manager

    • The activity is automatically added to the activity manager
    • The activity manager contains a list of all activities of your organisation
    • Monitor, edit and manage your tasks in one place in the activity manager
  • 6

    Prepare activity report

    • Select the relevant activities for your activity report
    • Print the activity report digitally as PDF

Schedule a meeting with Robin Data

We would be happy to show you in a personal online appointment how you can implement your requirements with Robin Data ComplianceOS®. Get an insight into the structure and scope of functions and ask your questions from the user's point of view.

Caroline Schwabe

This might interest you too:

List of processing activities according to Art. 30 GDPR. Explained step by step with extensive information. Data protection made easy.
All information on the technical organisational measures according to the GDPR. What do responsible parties have to observe during implementation and documentation?
All information on the data processing agreement according to GDPR. What do controllers have to consider when creating and managing?