Data protection according to GDPR
record of processing activities
The General Data Protection Regulation (GDPR) requires companies to document all processing activities. Processing activities are operations in which personal data are processed. All processing activities must be documented in a directory, the directory of processing activities - also known as a directory of procedures. In this article, we clarify who must keep a register of processing activities and what information it should contain.
Main information on the register of processing activities
- According to the General Data Protection Regulation (GDPR), companies must maintain a record of processing activities
- The record of processing activities documents all processing activities of a company
- Processing activities are operations in which personal data are processed
- The legal provisions on the register of processing activities are regulated in Article 30 GDPR
- Before the entry into force of the GDPR, the directory of processing activities was called a "record of processing".
Content on the register of processing activities:
Whitepaper Implementing a Directory of Processing Activities in compliance with the GDPR
In the Directory of Processing Activities Implementing GDPR Compliant you will find:
- Get information on the Register of processing activities, processing operations and personal data
- Learn who must keep a register of processing activities
- Learn which Information according to DSGVO must be included in the directory
- Including Examples of processing activities
- Including detailed Model for a completed processing activity
For only 9,00 Euro*
* All prices plus statutory value added tax
What are processing activities and what is a processing directory?
Are there differences between the record of processing activities and the procedure directory?
The term "record of processing activities" comes from the BDSG. and means an overview of the procedures used. With the replacement of the BDSG 2018 by the GDPR a renaming and minor adjustments were made.
One difference is that the differentiation between the internal and public directory, as the BDSG provided for it, was dropped. In addition, since the GDPR, there is no longer an obligation to make the directory accessible to data subjects; instead, they must be informed about the processing of their personal data. Essentially, this means that procedure directory and processing directory the same thing.
Who must keep a processing directory in accordance with the GDPR?
The GDPR provides that both controllers and processors each create a VVT. Article 30 (1) of the GDPR regulates which information controllers must keep in their processing directory.
As controller shall mean those persons who alone or jointly with others determine the purposes and means of the processing of personal data.
However, processors who process personal data on behalf of a controller must also draw up a processing directory. In doing so, they must comply with the regulations of the Art. 30 para. 2 GDPR.
Are there any exemptions from the obligation to keep the record of processing activities?
Article 30(5) of the GDPR waives the obligation to keep a processing register if undertakings or establishments employ fewer than 250 staff and
- the processing they carry out does not present a risk to the rights and freedoms of data subjects,
- the processing is only occasional,
- no processing of special categories of data according toArticle 9 (e.g. health data) or personal data? on criminal convictions and offences referred to inArticle 10takes place
What is the purpose of the record of processing activities?
The record of processing activities enables companies to comply with their documentation and accountability according to Art. 5 para. 2 GDPR after. By maintaining a processing directory, your company not only achieves transparency regarding the processing of personal data, but is also legally protected in the event of an audit by the data protection supervisory authorities.
What information is included in each processing activity?
According to Article 30(1) of the GDPR the controller is obliged to provide the following information on the processing activity:
- The purpose of the processing
- Categories of data subjects (e.g. applicants, customers)
- Categories personal data (e.g. contact, address data), especially if they are special categories such as health data.
- Categories of recipients of personal data (e.g. public authorities)
- In case of transfer to third countries: Indication of the third country or international organisation. You can find more information on this HERE.
- Erasure periods, observing the retention periods
- Descriptions of the technical-organisational measures (TOMs) and/or reference to existing safety concept with TOMs
The mandatory disclosures by the processors are significantly reduced, so that information on the purpose of the processing, as well as the categories of persons, data and recipients are omitted. Instead, they must specify the categories of processing carried out on behalf of a controller.
Model for a completed processing activity
|Description||Internal and external communication via e-mail|
|Applies at locations||Sample city 1, sample city 2|
|Applies in functional areas||All areas|
|The Controller||Name of the managing director|
|Legal basis||Art. 6 para. 1 lit b - GDPR Fulfilment of the subject matter of the contract|
Art. 6 para. 1 lit c - GDPR Fulfilment of a legal obligation
Art. 6 para. 1 lit f - GDPR Protection of legitimate interests
|Justification of a legitimate interest||Communication and exchange of information with interested parties|
|Parties concerned||Prospective customers, customers, employees, employees of an external contact, applicants and many more.|
|Data types||E-mail (general), e-mail boxes, attachment (containing personal data)|
|Categories of data||Address data, e-mail address, surname and first name, telephone number, etc.|
|Technical and organisational measures||Use of mail encryption|
Examples of processing activities
Typical finishes are:
- E-mail communication
- Document Management
- Chat and messenger services
- Customer Relationship Management (CRM)
- Employee photos in public relations
- Travel expense report
- Video surveillance
How often does the list of processing activities need to be updated and reviewed?
In order to comply with the documentation and accountability obligation, it is necessary to regularly review the record of processing activities and keep it up to date. Accordingly, new processing activities must always be included in the processing directory.
An up-to-dateness check should be carried out at regular intervals and all entries should be checked. The data protection conference also recommends that changes made in the processing directory should be made traceable with a storage period of one year.
What are the sanctions for not having a record of processing activities?
The register of processing activities can be requested by the competent supervisory authority at any time. If a missing or incomplete record of the VVT is found, fines may be imposed. These are set out in Art. 83 GDPR and amount to up to € 10 million or up to 2% of the worldwide annual income (Art. 83 para. 4a).
In addition, it is possible that a breach of accountability under Art. 5 para. 2 is assumed. Significantly higher fines are to be expected.
Implementation and documentation of the record of processing activities with Robin Data software
The Robin Data software helps you to create your processing directory. In 4 simple steps, your company-specific directory is created in a data protection-compliant manner and quickly filled with processing activities.
If you are interested in the implementation and documentation of the Technical Organisational Measures with the Robin Data Software, you can download the individual Articles in our Help Center or read our free online demos visit.
1. Select branch
Based on your industry, the directory for processing activities is automatically preconfigured for your company. This means that a large part of the work is already done, because the most important information for your industry is already stored.
2. Select processing activities
From the list of processing activities, select those that are carried out in your company. You can easily delete those that do not apply and add missing ones.
3. Process processing activities
You can easily edit the processing activities stored for your industry. A large part of the processing activities according to Article 30 GDPR required information is already stored. The rest is simply added with the help of a large selection of data.
New processing activities that are common in your industry are regularly proposed to you. So your directory is always up-to-date.