Data Protection Academy » Data Protection Wiki » record of processing activities

The list of processing activities or processing directory

Data protection according to GDPR

record of processing activities

The General Data Protection Regulation (GDPR) requires companies to document all processing activities. Processing activities are operations in which personal data are processed. All processing activities must be documented in a directory, the directory of processing activities - also known as a directory of procedures. In this article, we clarify who must keep a register of processing activities and what information it should contain.

Main information on the register of processing activities

  • According to the General Data Protection Regulation (GDPR), companies must maintain a record of processing activities
  • The record of processing activities documents all processing activities of a company
  • Processing activities are operations in which personal data are processed
  • The legal provisions on the register of processing activities are regulated in Article 30 GDPR
  • Before the entry into force of the GDPR, the directory of processing activities was called a "record of processing".

Whitepaper Implementing a Directory of Processing Activities in compliance with the GDPR

Whitepaper: Implementing a Directory of Processing Activities in compliance with the GDPR

In the Directory of Processing Activities Implementing GDPR Compliant you will find:

  • Get information on the Register of processing activities, processing operations and personal data
  • Learn who must keep a register of processing activities
  • Learn which Information according to DSGVO must be included in the directory
  • Including Examples of processing activities
  • Including detailed Model for a completed processing activity

For only 9,00 Euro*

* All prices plus statutory value added tax

What are processing activities and what is a processing directory?

The record of processing activities (abbreviated to processing directory) is a written documentation of all processing activities of personal data? according to Art. 30 GDPR. Processing activities are processes in which personal data are collected, processed and stored.

Are there differences between the record of processing activities and the procedure directory?

The term "record of processing activities" comes from the BDSG. and means an overview of the procedures used. With the replacement of the BDSG 2018 by the GDPR a renaming and minor adjustments were made.

One difference is that the differentiation between the internal and public directory, as the BDSG provided for it, was dropped. In addition, since the GDPR, there is no longer an obligation to make the directory accessible to data subjects; instead, they must be informed about the processing of their personal data. Essentially, this means that procedure directory and processing directory the same thing.

Who must keep a processing directory in accordance with the GDPR?

The GDPR provides that both controllers and processors each create a VVT. Article 30 (1) of the GDPR regulates which information controllers must keep in their processing directory.

As controller shall mean those persons who alone or jointly with others determine the purposes and means of the processing of personal data.

However, processors who process personal data on behalf of a controller must also draw up a processing directory. In doing so, they must comply with the regulations of the Art. 30 para. 2 GDPR.

Are there any exemptions from the obligation to keep the record of processing activities?

Article 30(5) of the GDPR waives the obligation to keep a processing register if undertakings or establishments employ fewer than 250 staff and

  • the processing they carry out does not present a risk to the rights and freedoms of data subjects,
  • the processing is only occasional,
  • no processing of special categories of data according toArticle 9 (e.g. health data) or personal data? on criminal convictions and offences referred to inArticle 10takes place

What is the purpose of the record of processing activities?

The record of processing activities enables companies to comply with their documentation and accountability according to Art. 5 para. 2 GDPR after. By maintaining a processing directory, your company not only achieves transparency regarding the processing of personal data, but is also legally protected in the event of an audit by the data protection supervisory authorities.

What information is included in each processing activity?

According to Article 30(1) of the GDPR the controller is obliged to provide the following information on the processing activity:

  1. The purpose of the processing
  2. Categories of data subjects (e.g. applicants, customers)
  3. Categories personal data (e.g. contact, address data), especially if they are special categories such as health data.
  4. Categories of recipients of personal data (e.g. public authorities)
  5. In case of transfer to third countries: Indication of the third country or international organisation. You can find more information on this HERE.
  6. Erasure periods, observing the retention periods
  7. Descriptions of the technical-organisational measures (TOMs) and/or reference to existing safety concept with TOMs

The mandatory disclosures by the processors are significantly reduced, so that information on the purpose of the processing, as well as the categories of persons, data and recipients are omitted. Instead, they must specify the categories of processing carried out on behalf of a controller.

Model for a completed processing activity

DesignationE-mail communication
DescriptionInternal and external communication via e-mail
Applies at locationsSample city 1, sample city 2
Applies in functional areasAll areas
The ControllerName of the managing director
Legal basisArt. 6 para. 1 lit b - GDPR Fulfilment of the subject matter of the contract
Art. 6 para. 1 lit c - GDPR Fulfilment of a legal obligation
Art. 6 para. 1 lit f - GDPR Protection of legitimate interests
Justification of a legitimate interestCommunication and exchange of information with interested parties
Parties concernedProspective customers, customers, employees, employees of an external contact, applicants and many more.
Data typesE-mail (general), e-mail boxes, attachment (containing personal data)
Categories of dataAddress data, e-mail address, surname and first name, telephone number, etc.
Risk assessmentNo
Technical and organisational measuresUse of mail encryption

Examples of processing activities

Typical finishes are:

  • E-mail communication
  • Document Management
  • Controlling
  • Chat and messenger services
  • Customer Relationship Management (CRM)
  • Employee photos in public relations
  • Payroll
  • Travel expense report
  • Video surveillance
Note

The Robin Data software contains over 1000 completed processing activities and creates the associated directory automatically

How often does the list of processing activities need to be updated and reviewed?

In order to comply with the documentation and accountability obligation, it is necessary to regularly review the record of processing activities and keep it up to date. Accordingly, new processing activities must always be included in the processing directory.

An up-to-dateness check should be carried out at regular intervals and all entries should be checked. The data protection conference also recommends that changes made in the processing directory should be made traceable with a storage period of one year.

What are the sanctions for not having a record of processing activities?

The register of processing activities can be requested by the competent supervisory authority at any time. If a missing or incomplete record of the VVT is found, fines may be imposed. These are set out in Art. 83 GDPR and amount to up to € 10 million or up to 2% of the worldwide annual income (Art. 83 para. 4a).

In addition, it is possible that a breach of accountability under Art. 5 para. 2 is assumed. Significantly higher fines are to be expected.

Implementation and documentation of the record of processing activities with Robin Data software

The Robin Data software helps you to create your processing directory. In 4 simple steps, your company-specific directory is created in a data protection-compliant manner and quickly filled with processing activities.


If you are interested in the implementation and documentation of the Technical Organisational Measures with the Robin Data Software, you can download the individual Articles in our Help Center or read our free online demos visit.

1. Select branch

Based on your industry, the directory for processing activities is automatically preconfigured for your company. This means that a large part of the work is already done, because the most important information for your industry is already stored.

2. Select processing activities

From the list of processing activities, select those that are carried out in your company. You can easily delete those that do not apply and add missing ones.

3. Process processing activities

You can easily edit the processing activities stored for your industry. A large part of the processing activities according to Article 30 GDPR required information is already stored. The rest is simply added with the help of a large selection of data.

4. Complete processing activities

New processing activities that are common in your industry are regularly proposed to you. So your directory is always up-to-date.

Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

Record of processing activities
List of processing activities according to Art. 30 DSGVO. Explained step by step with extensive information. Data protection made easy.
Data Protection Officer
All information on the technical organisational measures according to the GDPR. What do responsible parties have to observe during implementation and documentation?
documentation obligations
All information on the data processing agreement according to GDPR. What do controllers have to consider when creating and managing?