Gdpr: directory of processing activities

With the entry into force of the General Data Protection Regulation, new obligations and requirements arise for entities processing personal data. One of these requirements is the keeping of a register of processing activities (Art. 30 GDPR). This regulation replaces the previously applicable regulations on the procedural directory at the federal and state level. The associated increased documentation requirements are intended to make data processors more aware of data protection issues.

Who is affected by the register of processing activities?

By type. 30 GDPR, a register of processing activities must be kept by the controller. In addition, there is now also an obligation for commissioned data processors. Entrepreneurs who already keep or have kept a register of procedures can transfer the previous records into a register of processing activities. In addition, the processes documented there must be checked for compatibility with the General Data Protection Regulation. Art. 30 para. 5 GDPR contains an exemption for companies with fewer than 250 employees. It should be noted, however, that this exception does not apply even if the processing of personal data is “not merely incidental”. Since most companies process data on a permanent basis (for example, via website or through payroll systems), this regulation is likely to be used very rarely.

How to build a register of processing activities under the GDPR?

According to Article 30 para. 1 GDPR, the following information must be listed:

• the name and contact details of the data controller and, where applicable, the data controller jointly with the data controller, the data controller’s representative, and any data protection officer;
• the purposes of the processing;
• A description of the categories of data subjects and categories of personal data;
• The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
• Where applicable, transfers of personal data to a third country or to an international organization, including an indication of the third country or international organization concerned, and, in the case of data transfers referred to in the second subparagraph of Article 49(1), documentation of appropriate safeguards;
• if possible, the time limits provided for the deletion of the various categories of data;
• If possible, a general description of the technical and organizational measures according to Article 32(1).

Art. 30 Abs. 2 GDPR also deals with the obligations of data processors. On the other hand, one is basically free to choose the form of the directory. However, it must be kept in writing. This is likely to be predominantly electronic. In addition, a directory of processing activities must always be documented in German. In addition to the directory itself, it is advisable to keep documentation on changes to entries in the directory. Thus one fulfills the principle of the accountability according to kind. 5 para. 2 DSGVO and makes it easier for the supervisory authorities to track changes.

Why a register of processing activities must be kept?

As mentioned above, the purpose of keeping a processing register is to encourage the entities concerned to pay more attention to the issue of data protection. Furthermore, the supervisory authorities should be able to check and understand the processing procedures of companies and other bodies more easily. In contrast to the regulations of the Federal Data Protection Act regarding the directory of processing activities, the General Data Protection Regulation no longer provides for a right of inspection for everyone.