Record of processing activities, Art. 30 para. 1
The record of processing activities is the controller’s documentation of processes under data protection law. It makes sense to take some time when creating the record of processing activities and to create an intelligent system that maps the company processes in appropriate detail in order to create a sensible basis for further data protection organization and documentation beyond the fulfillment of documentation obligations. A good record of processing activities captures all company processes like a network and contains information that is compressed in such a way that the record of processing activities can be kept up to date with reasonable effort.
What is a processing activity? Examples included
The creation of the record of processing activities is a legal obligation resulting from Article 30 (1) GDPR. The record of processing activities consists of the documentation of individual processing activities. Processing activities are processes, i.e. a sequence of individual activities in which personal data are processed. How many individual activities are combined into one processing activity can be defined relatively freely. It is therefore possible to combine processes into one large processing activity or to map them separately. The classic example of a processing activity is personnel data processing – but more on that below.
Who needs a record of processing activities?
In principle, every controller must keep a record of processing activities, i.e. every company and every public authority. There are exceptions to the documentation requirement for small companies with fewer than 250 employees, but these should be treated with caution and rarely become relevant as a result. This is because there are fall-back exceptions, i.e. cases in which these small companies must also keep a record of processing activities, namely when small companies
- carry out regular processing operations that pose a risk to the rights and freedoms of data subjects (this is more often the case than one might suspect);
- carry out processing operations on special categories of data (e.g., health data) (this is also the case in most companies);
- perform processing operations on criminal convictions and offenses (this is likely to be rare).
As a result, virtually all companies and public authorities are required to maintain a record of processing activities. Even if this should not be the case, they are obliged to comply with data protection law and must also document this because of the accountability in Art. 5 (2) GDPR. In any case, it makes sense to keep a record of processing activities for this purpose, because it is the usual documentation that a data protection authority knows and expects.
Who creates the record of processing activities?
The obligation to create the directory of processing activities lies with the controller, i.e. the natural or legal person who manages a company or with a public authority. According to the internal organization, the management or the authority management must ensure that a directory of processing activities is created. These persons may, of course, delegate the creation. This makes sense and is common practice. Management or authority leadership must then only check or be told that a record of processing activities has been created and is regularly maintained.
In practice, the creation of the record of processing activities is often delegated to data protection officers or a data protection department. They coordinate the creation by creating the corresponding document and triggering the collection of information by the departments by inviting them to interviews, providing information in questionnaires or entering it directly into the document. Software support makes sense for this process, of course, in order to gather and consolidate information efficiently.
What belongs in a directory of procedures?
The contents of the record of processing activities are derived from Article 30 (1) GDPR. They are:
- Name and contact details of the controller;
- The purposes of the processing;
- A description of the categories of data subjects and the categories of personal data;
- The categories of recipients, including recipients in third countries or international organizations;
- Transfers of personal data to a third country or international organization;
- Time limits for erasure;
- A general description of the technical and organizational measures referred to in Article 32(1).
Depending on how one uses the record of processing activities for data protection organization and documentation, it is appropriate to collect further information there, such as
- IT infrastructure used;
- software used;
- result of the check whether a data protection impact assessment has to be carried out;
- etc.
Are there “standard procedures”?
There are “standard procedures” that play a role for all or most data controllers. These are, for example, procedures for processing customer data, for accounting or for operating a website. A classic processing activities is, of course, personnel data processing. It can be found in practically every company and in every public authority. In smaller companies with few staff and little activity and complexity, it may make sense to define a “personnel data processing” processing activity and map it in the record of processing activities. In larger companies with more complex personnel processes, on the other hand, it makes sense to split the topic and map it separately, for example in processing activities for “Recruiting”, “Payroll”, “Personnel Development”, etc.
In many cases, meaningful documentation can be mapped with approximately 15 processing activities. Significantly more or significantly less processing activities can be an indication of documentation that is too complex or not detailed enough.
You can find useful standard procedures for your directory of processing activities in our free template.
What does a sample list of processing activities look like?
Templates for the creation of the inventory of processing activities contain the mandatory information according to Art. 30 (1) GDPR (see above). Good templates also contain additional information that is required for a meaningful data protection organization and documentation.
Click here to download our template.