Data Protection Academy » Data Protection Wiki » Record of processing activities

The list of processing activities or processing directory in a filing cabinet

Data protection according to GDPR

Record of processing activities

The General Data Protection Regulation (GDPR) requires companies to document all processing activities. Processing activities are operations in which personal data are processed. All processing activities must be documented in a directory, the recordof processing activities. In this article, we clarify who must keep a record of processing activities and what information it should contain.

Main information on the record of processing activities

  • According to the General Data Protection Regulation (GDPR), companies must maintain a record of processing activities
  • The record of processing activities documents all processing activities of a company
  • Processing activities are operations in which personal data are processed
  • The legal provisions on the record of processing activities are regulated in Article 30 GDPR
  • Before the entry into force of the GDPR, the record of processing activities was called a "directory of processing".

Whitepaper Implementing a record of processing activities in compliance with the GDPR

Whitepaper from Robin Data with sample list of processing activities

In the Directory of Processing Activities Implementing GDPR Compliant you will find:

  • Get information on the record of processing activities and to Processing operations and personal data
  • Learn who must keep a register of processing activities
  • Learn which Information according to DSGVO must be included in the directory
  • Including Examples of processing activities
  • Including detailed Model for a completed processing activity

Unfortunately this content is currently only available in German. Please feel free to contact us for more information.

What are processing activities and what is a record of processing activities?

The record of processing activities is a written documentation of all processing activities of personal data. according to Art. 30 GDPR. Processing activities are processes in which personal data are collected, processed and stored.

Are there differences between the record of processing activities and the procedure directory?

The term "procedure directory" comes from the BDSG. and means an overview of the procedures used. With the replacement of the BDSG 2018 by the GDPR a renaming and minor adjustments were made.

One difference is that the differentiation between the internal and public record, as the BDSG provided for it, was dropped. In addition, since the GDPR, there is no longer an obligation to make the record accessible to data subjects; instead, they must be informed about the processing of their personal data. Essentially, this means that the procedure directory and the record of processing activities are the same thing.

Who must keep a record of processing activities in accordance with the GDPR?

The GDPR provides that both controllers and processors each create a VVT. Article 30 (1) of the GDPR regulates which information controllers must keep in their processing record.

As controller shall mean those persons who alone or jointly with others determine the purposes and means of the processing of personal data.

However, processors who process personal data on behalf of a controller must also draw up a processing record. In doing so, they must comply with the regulations of Art. 30 para. 2 GDPR.

Are there any exemptions from the obligation to keep the record of processing activities?

Article 30(5) of the GDPR waives the obligation to keep a processing record if undertakings or establishments employ fewer than 250 staff and

  • the processing they carry out does not present a risk to the rights and freedoms of data subjects,
  • the processing is only occasional,
  • no processing of special categories of data according toArticle 9 (e.g. health data) or personal data. on criminal convictions and offences referred to inArticle 10takes place

What is the purpose of the record of processing activities?

The record of processing activities enables companies to comply with their documentation and accountability according to Art. 5 para. 2 GDPR. By maintaining a record processing activities, your company not only achieves transparency regarding the processing of personal data, but is also legally protected in the event of an audit by the data protection supervisory authorities.

What information is included in each processing activity?

According to Article 30(1) of the GDPR the controller is obliged to provide the following information on the processing activity:

  1. The purpose of the processing
  2. Categories of data subjects (e.g. applicants, customers)
  3. Categories personal data (e.g. contact, address data), especially if they are special categories such as health data.
  4. Categories of recipients of personal data (e.g. public authorities)
  5. In case of transfer to third countries: Indication of the third country or international organisation. You can find more information on this in the article Data transmission to third countries.
  6. Erasure periods, observing the retention periods
  7. Descriptions of the technical-organisational measures (TOMs) and/or reference to existing safety concept with TOMs

The mandatory disclosures by the processors are significantly reduced, so that information on the purpose of the processing, as well as the categories of persons, data and recipients are omitted. Instead, they must specify the categories of processing carried out on behalf of a controller.

Model for a completed processing activity

DesignationE-mail communication
DescriptionInternal and external communication via e-mail
Applies at locationsSample city 1, sample city 2
Applies in functional areasAll areas
The ControllerName of the managing director
Legal basisArt. 6 para. 1 lit b - GDPR Fulfilment of the subject matter of the contract
Art. 6 para. 1 lit c - GDPR Fulfilment of a legal obligation
Art. 6 para. 1 lit f - GDPR Protection of legitimate interests
Justification of a legitimate interestCommunication and exchange of information with interested parties
Parties concernedProspective customers, customers, employees, employees of an external contact, applicants and many more.
Data typesE-mail (general), e-mail boxes, attachment (containing personal data)
Categories of dataAddress data, e-mail address, surname and first name, telephone number, etc.
Risk assessmentNo
Technical and organisational measuresUse of mail encryption

Examples of processing activities

Typical processes are:

  • E-mail communication
  • Document management
  • Controlling
  • Chat and messenger services
  • Customer Relationship Management (CRM)
  • Employee photos in public relations
  • Payroll
  • Travel expense report
  • Video surveillance

Robin Data ComplianceOS® contains over 1000 completed processing activities and automatically creates the associated record

How often does the list of processing activities need to be updated and reviewed?

In order to comply with the documentation and accountability obligation, it is necessary to regularly review the record of processing activities and keep it up to date. Accordingly, new processing activities must always be included in the processing record.

An up-to-dateness check should be carried out at regular intervals and all entries should be checked. The data protection conference also recommends that changes made in the record of processing activities should be made traceable with a storage period of one year.

What are the sanctions for not having a record of processing activities?

The record of processing activities can be requested by the competent supervisory authority at any time. If a missing or incomplete record of the VVT is found, fines may be imposed. These are set out in Art. 83 GDPR. and amount to up to € 10 million or up to 2% of the worldwide annual income (Art. 83 para. 4a).

In addition, it is possible that a breach of accountability under Art. 5 para. 2 is assumed. Significantly higher fines are to be expected.

Implementation and documentation of the record of processing activities with Robin Data ComplianceOS®

The Robin Data ComplianceOS® helps you to create your record of processing activities. In 4 simple steps, your company-specific directory is created in a data protection-compliant manner and quickly filled with processing activities.

If you are interested in the implementation and documentation of the Technical Organisational Measures with the Robin Data Software, you can download the individual articles in our Help Center or book free initial meetings .

1. Select branch

Based on your industry, the record of processing activities is automatically preconfigured for your company. This means that a large part of the work is already done, because the most important information for your industry is already stored.

2. Select processing activities

From the list of processing activities, select those that are carried out in your company. You can easily delete those that do not apply and add missing ones.

3. Process processing activities

You can easily edit the processing activities stored for your industry. A large part of the processing activities according to Article 30 GDPR required information is already stored. The rest is simply added with the help of a large selection of data.

4. Complete processing activities
New processing activities that are common in your industry are regularly proposed to you. So your record is always up-to-date.

Caroline Schwabe

This might interest you too:

Templates, whitepapers and implementation of the activity report according to the GDPR. Create the activity report automatically in just a few steps.
Samples, templates and examples for your GDPR erasure concept according to DIN 66398. Automatically create the erasure concept.
List of processing activities according to Art. 30 GDPR. Explained step by step with extensive information. Data protection made easy.

Unfortunately this content is currently only available in German. Please feel free to contact us for more information.