Directory of processing activities

A directory of processing activities is a list of all processing activities of personal data required by European data protection law . The term was introduced by Regulation (EU) 2016/679, General Data Protection Regulation (GDPR). The previous name in German data protection law was the directory of procedures . Regulations on the register of processing activities can be found in Article 30 of the GDPR and, if necessary, additional regulations in the national data protection laws of the EU member states.

history

The obligation to keep a register of processing activities was introduced in the European Union when the GDPR came into force on May 25, 2018 . The GDPR replaced the previous data protection regulations of the EU member states. B. in Germany according to the Federal Data Protection Act a procedure directory was to be kept. Art. 30 GDPR obliges responsible persons within the meaning of data protection law (according to Art. 4 GDPR this is any "natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data" ) and their representatives to keep a record of all processing activities that are subject to their responsibility.

Form and content

The list of all processing activities must be in writing. It can also be managed digitally.

Minimum information is

Name and contact details of the person responsible and, if applicable, the person responsible together with him, the representative of the person responsible and any data protection officer
the purposes of the processing
a description of the categories of data subjects and the categories of personal data
The categories of recipients to whom the personal data have been disclosed or are still being disclosed, including recipients in third countries or international organizations
if necessary, transfers of personal data to a third country or to an international organization stating the country or organization

as well as if possible

the deadlines for deleting the various categories of data
a general description of the technical and organizational measures in accordance with Article 32 (1) GDPR

In Germany, these requirements are specified in Section 70 of the Federal Data Protection Act.

In addition to the charge are also processors , d. H. natural or legal persons, authorities, institutions or other bodies that process personal data on behalf of a controller are obliged to keep the record of processing activities. Their directory must also contain the name and contact details of the processor or processors.

Legal consequences

The responsible parties, their processors and their representatives are obliged to make their list of processing activities available to the supervisory authority upon request .

For violations of the DSGVO see Art. 83 DSGVO fines before, so even in violation of the obligations under Art. 30 . The possible range of fines is up to 10 million euros or 2% of the annual turnover .

Web links

GDPR
Notes and samples for the new directory of processing activities , state data protection officer of the state of North Rhine-Westphalia

Individual evidence

↑ Directory of processing activities , accessed on September 26, 2019

[1] Directory of processing activities , accessed on September 26, 2019