Privacy Top 20 Ratgeber

Directory of processing activities: Record everything in writing

Previously, only the Federal Data Protection Act applied in Germany. This law states that anyone who processes personal data must provide documentation. The EU General Data Protection Act, which came into force on May 25, 2018, extends this regulation even further. You are now obliged to keep a detailed directory of processing activities. This replaces the previously known directory of procedures. The scope is laid down in Art. 30 GDPR.

It is important that you perform the required task conscientiously. This is because the competent supervisory authorities are entitled to inspect the directory of processing activities at any time. If this list is defective, incomplete or non-existent, you face fines in the millions. So what do you have to consider?

What is behind the directory of processing activities?

First and foremost, it exists to guarantee a high degree of transparency. Many data subjects are unaware of how much data is collected about them in different forms – and not every company has paid attention to whether its procedures comply with the data protection guidelines. The directory should then offer customers, employees and business partners significantly more protection. This is because companies have to document every single processing step. However, this also serves to secure a company, website operator or blogger. This is because with a lawsuit or warning the only thing they are required to present is the directory of processing activities.

Who is obliged to keep a directory?

Basically everyone who is involved in the processing of personal data. Often, however, this task is performed by the data protection officer.

There are also exceptions to this rule. This applies primarily to companies that do not exceed 250 employees. Small and medium-sized companies can be exempted from this obligation if they fulfil the following criteria:

  1. The information processed does not pose any risk to the data subjects.
  2. The company collects data only occasionally and not regularly.
  3. The contents refer to 9 (1) GDPR or Art. 10 GDPR

It is very rare, however, that someone obtains an exemption. It is enough if only one point applies to you and you have to create a directory of processing activities. Moreover, it is unlikely that a company will collect no data whatsoever. Almost every company uses a CRM or ERP system. In addition, salaries/wages have to be paid to employees. As soon as a company offers services or goods, it processes personal data. It is therefore quite unlikely to receive an exemption.

Which formalities have to be observed?

First of all, who creates the document is a relevant issue. If, for example, it is the data protection officer of your company, they must comply with Art. 30 (1) GDPR. This information therefore may not be omitted:

  • Contact details of the controller
  • Purpose of processing
  • Data category
  • Data subjects
  • Data recipient
  • Deadlines for deletion
  • Technical & organizational measures ( 32 (1) GDPR)

The document of a processor is much simpler. All the processor has to do is communicate the following items:

  • Contact details of the processor
  • Data category
  • Transfer to third countries
  • Technical & organizational measures

Both parties are obliged to keep your directory of processing activities in writing or electronically.

What penalties do you face in the event of a breach of duty?

If you are lucky, you will only receive a GDPR warning from the supervisory authorities. You will then be given a fixed period in which to draw up and produce your directory of processing activities. In the worst case, however, you will have to pay a fine. This usually amounts to a maximum of 10 million euros or 2 percent of the annual revenue. If, however, it is a gross violation (in most cases, several specifications were not complied with), the fine can be increased to up to 20 million euros or 4 percent of the annual revenue.

  1. Find out which personal data you have processed so far and what purpose this served. As a rule, this includes, for example, the contact data of your suppliers, information on your employees as well as on your customers.
  2. List all tools, software programs and plug-ins that you use in your daily work.
  3. Create an overview of the security measures you have implemented so far. This will also help you to identify any loopholes before the supervisory authorities.
  4. Be sure to involve all departments and the data protection officer.

Start with your directory of processing activities. Raise your staff’s awareness of this issue. This is the only way to ensure that every data protection officer fulfils their documentation obligations.

Directory of processing activities: a central component of the General Data Protection Regulation

It not only brings more transparency to a very confusing topic. It also provides more security on both sides: On the one hand, data subjects know that every processing step must be documented in detail. If this is not the case or if personal data is collected unlawfully, a fine is imposed. On the other hand, it also helps you as an entrepreneur to fulfil your obligation to provide documentation. If there is a problem, the directory of processing activities allows you to prove at any time that you are within the legal framework.