This is some text inside of a div block.

What is a processing directory?

According to Art 30, the GDPR requires that the responsible bodies have a so-called processing directory create, in which all processing activities are recorded that deal with personal data.

This is by far one of the most important documents in the entire GDPR because it affects all companies. As soon as a company processes personal data, it is required to carefully document these processes in this directory. Of course, this also applies to processors. Although many claim that the creation only affects companies with more than 250 employees, this exception only applies if the processing of personal data occurs only occasionally. However, this is only true in the rarest of cases. If there are special data categories, such as health data, religion or the like, it is the duty to create and maintain one Processing directory anyway too.

What does such a processing directory look like?

The organization of this document is up to the companies themselves. However, the content must contain the mandatory information of the GDPR. Typically, a clearly structured form is chosen in order to record all processing processes according to the same scheme and to be able to make any changes quickly. It is therefore advisable to provide the processing directory (VVT) in digital form.

The structure is limited to three parts, the cover sheet, the main part and another part. The cover sheet contains the necessary information from the company and the responsible data protection officer, whether internal or external. The main part summarizes the individual processes of data processing. Every single process is documented in detail here. Components include the process names (e.g. payroll accounting), the purpose of the processing, the description of the category of the processed personal data, the recipients of the data, the deadlines for deletion and, if applicable, the naming of the companies in the event of transmission to a third country.

The third part includes the technical and organizational measures (TOM). These are made up of individual sub-areas such as work instructions or IT security and serve to document that suitable data protection measures have been taken.

What happens if they are disregarded?

The GDPR punishes violations with high sanctions, which are, however, proportionately set. Depending on the severity of the violation of the GDPR, companies face a fine of up to 20 million euros or 4% of the annual turnover, depending on which of the penalties is the higher. However, such dimensions are intended for giants and not for the general public. Nevertheless, the penalties should be high enough to act as a deterrent. The first sanctions have already been imposed. It remains to be seen how severely the next violations will be punished.

The processing directory

The processing directory with heyData

The processing directory - the basics

When does a company need a processing directory?

The contents of a processing directory

The processing directory and the external data protection officer

heyData - for a legally secure processing directory

Modern data processing has taken on a prominent role in the world of work and thus also in economic importance. The increased exercise of the rights of the data subjects leads to an increased demand for the topics of the right to information and transparency towards data subjects. In order to fulfill meaningful and up-to-date documentation, the processing directory is a core instrument for the implementation of data protection and transparency obligations.

Almost every company is legally obliged to keep a correct processing directory when it comes into contact with personal data and their processing. The processing directory thus presents itself as documentation that basically shows the handling of personal data within the company. By putting security measures in writing, data protection-compliant methods are shown that define the protection of data and information and thus ensure that the supervisory authorities are checked. This is an important point, as the first control look at the processing directory is directed at every complaint or examination.

- A processing directory is to be kept by every data processing agency

- The register must be kept in writing. Electronic documentation complies with the law

- Processors must keep a record of processing activities

- Violations can be punished with fines of up to 10 million euros or with 2% of the annual turnover (previous financial year)

According to the GDPR, almost every company needs a detailed directory that shows the processing activities. This requirement applies to all natural persons, associations, companies and authorities who process personal data. Processors or their representatives are also obliged to keep a register of all commissioned processing activities and are subject to the same data protection requirements that the client must also provide.

If a company is required to keep a processing record, options should be explored to ensure compliance with the GDPR. As the person responsible, you can create the directory yourself, but this is usually a difficult hurdle to overcome, as this is associated with a lot of time and high risk. The safest method that does not affect your core business is to hire a specialist!

heyData is happy to offer itself as your competent partner! Just talk to us!

In special circumstances, the obligation to keep a processing record may no longer apply. According to Art. 30 Paragraph 5 of the GDPR, a processing directory only needs to be kept if one of the following criteria is met:

- The company has at least 250 employees

- Data processing carries a risk with regard to the rights and freedoms of data subjects

- Particularly sensitive data are processed (religion, political attitude, sexual orientation ...)

- Data on convictions or criminal offenses are processed

- internal data processing does not only take place occasionally

The last point in particular is difficult to grasp for smaller companies, as there is no precise definition of the regular or occasional processing of personal data. Here the case law and the relevant literature are covered.

1. Occasional data processing is defined on the basis that data processing only takes place in large time intervals or represents an unpredictable consequence of the core business.

2. Regular data processing is present in these cases:

- A continuous or clearly defined (time aspect) data processing

- Ongoing data processing

- data processing at certain times

If one of these points is met, the company is obliged to keep a processing directory!

The resulting documentation of all processing operations is an important pillar of data protection compliance, as the processing directory to be kept proves that all provisions of the GDPR have been complied with.

As a content requirement, all automated or non-automated data processing procedures for personal data are recorded in a processing directory. All saved or yet to be saved data must be defined. Every activity related to this data must always be documented in the processing directory.

When creating a processing directory for the first time, attention should be paid to data inputs and data outputs. A new description should be created for each individual data processing activity. If inventory data is processed for another purpose, this new processing procedure will also be recorded in writing!

"Do all customer data really have to be recorded in a processing directory"? - heyData is often asked this question. The answer is simple: No, data protection processes and data categories that process and store personal data internally are recorded in a processing directory, but not individual customer data!

Examples of activities and data work are:

- Processing of applicant and personnel information

- internal and external (operational) communication processes

- Data and activities from customer service

- Marketing activities

- Activities from the finance department and accounting

- Video and audio surveillance

- the data destruction processes

Every processing directory should contain the following points:

1. Contact details and designation of all those responsible for data processing

2. The contact details of the appointed data protection officer

3. The purpose of the data processing (staff, vacation, contracts ...)

4. Category of data subjects to be processed (e.g. customer, employee ...)

5. Categories of recipients for whom data is or should be disclosed (e.g. suppliers, authorities or credit institutions ...)

6. Data that are transmitted to a third country or to an international organization. The third countries and the international organizations must be named

7. Information about the intended deletion periods for the respective data categories.

8. All descriptions of the technical and organizational measures (TOM) should be defined in a processing directory. All security measures implemented should be shown here (e.g. IT security, video surveillance ...)

Change documentation is to be kept in a processing directory. If, for example, the responsibility or the named data protection officer changes, this must be documented in the change history.

The question of the scope of the processing directory is not stipulated by law and is assessed on a case-by-case basis. However, if the processing directory is incomplete or missing, there is a risk of fines of up to 10 million euros or up to 2% of the annual turnover (previous financial year).

An external data protection officer is responsible for the secure and legally compliant implementation of data protection in the company and is in constant communication with the management and the specialist departments involved. The advantage of a qualified data protection officer is obvious - he has the professional and technical expertise and bears the risk within his task. In order to fulfill this, the external data protection officer has to prove himself with regular training and with continuous knowledge building.

When editing a processing directory, the external data protection officer should be consulted for support. He has the necessary expertise and practical experience. In cooperation with the respective specialist departments and the management, all processing activities can be recognized and thus documented in the processing directory.

Since the external data protection officer has to act as an external employee within the company, he knows all data protection-relevant processes and can thus ensure secure documentation. It bundles all findings in the processing directory and thus ensures a complete log that withstands an examination by the supervisory authorities.

Only a properly kept processing directory leads to legal security! A properly kept directory not only complies with the legislature, it also saves time internally and offers the starting point for economic advantages.

heyData offers you long-term process optimization and reassuring legal security.

With heyData you are able to keep the processing directory in a conscientious manner and have more leeway for your actual core business. Do not see a chore in the processing record - it is one of the evidence that the company is accountable in terms of data protection! This strengthens legal security, but also your internal and external image. An incurring change management also makes the workforce responsible and ensures a “we-feeling”, which also provides plus points on the economic side.

Contact heyData and let our data protection experts advise you!