According to Art 30, the GDPR requires that the responsible bodies have a so-called processing directory create, in which all processing activities are recorded that deal with personal data.
This is by far one of the most important documents in the entire GDPR because it affects all companies. As soon as a company processes personal data, it is required to carefully document these processes in this directory. Of course, this also applies to processors. Although many claim that the creation only affects companies with more than 250 employees, this exception only applies if the processing of personal data occurs only occasionally. However, this is only true in the rarest of cases. If there are special data categories, such as health data, religion or the like, it is the duty to create and maintain one Processing directory anyway too.
What does such a processing directory look like?
The organization of this document is up to the companies themselves. However, the content must contain the mandatory information of the GDPR. Typically, a clearly structured form is chosen in order to record all processing processes according to the same scheme and to be able to make any changes quickly. It is therefore advisable to provide the processing directory (VVT) in digital form.
The structure is limited to three parts, the cover sheet, the main part and another part. The cover sheet contains the necessary information from the company and the responsible data protection officer, whether internal or external. The main part summarizes the individual processes of data processing. Every single process is documented in detail here. Components include the process names (e.g. payroll accounting), the purpose of the processing, the description of the category of the processed personal data, the recipients of the data, the deadlines for deletion and, if applicable, the naming of the companies in the event of transmission to a third country.
The third part includes the technical and organizational measures (TOM). These are made up of individual sub-areas such as work instructions or IT security and serve to document that suitable data protection measures have been taken.
What happens if they are disregarded?
The GDPR punishes violations with high sanctions, which are, however, proportionately set. Depending on the severity of the violation of the GDPR, companies face a fine of up to 20 million euros or 4% of the annual turnover, depending on which of the penalties is the higher. However, such dimensions are intended for giants and not for the general public. Nevertheless, the penalties should be high enough to act as a deterrent. The first sanctions have already been imposed. It remains to be seen how severely the next violations will be punished.