Processing directory / Das Verarbeitungsverzeichnis
June 27, 2018
The EU's basic data protection regulation currently employs companies of all sizes - the excitement is huge. What do you really need, where should you start. Creating and maintaining a processing directory is just one of the new obligations that the EU's data protection regulation imposes on businesses. Companies are to take account of the accountability principle or even their documentation obligations, otherwise they could face fines of up to 10 million or up to 2% of the annual turnover. But what exactly is this, who is obliged to do so and what are the content requirements?
What is a processing directory?
A processing list is ultimately nothing more than an overview of all processing operations involving personal data. This can be, for example, customer, employee or supplier data. In case of doubt, it is important that the supervisory authority can understand how personal data are handled in the company. The structure of the directory is left to the discretion of each company, although certain information is mandatory under Art. 30 (1) EU-DSGVO: name and contact details of the responsible person, purpose of processing, description of the categories of data subjects, categories of personal data, categories of recipients of data, if applicable, transmissions to a third country and, if possible, envisaged deadlines for deletion and a description of the technical and organisational measures. It is recommended to indicate the appropriate legal basis for the processing in question.
Who must keep a directory?
In principle, Art. 30 (1) EU-DSGVO requires that all responsible persons have to keep a register of all processing activities. There is a theoretical exception: companies with fewer than 250 employees are exempt from this requirement. But at this point, no one should rejoice too soon: this exception should only apply if the processing is only occasional, if no special categories of data such as health or religious data are processed or if the processing involves a risk to the rights and freedoms of the data subjects. The latter restriction applies to a certain extent to all processing of personal data. However, the legislator may refer to a "specific risk". In most cases, however, this can be left open, as this exception no longer applies to all companies that operate, for example, websites, online shops, CRM systems, personnel management or payroll systems. The processing here is not only occasional, and the respective companies that employ employees process, for example, health data to determine sick days or religious data to pay church tax (special categories of data).
Often the obligation to draw up a processing list leads to great uncertainty as to how detailed it should look in practice. The purpose of this task is to provide the data protection authority with an overview of processing activities and general data handling. In no case is it necessary to create a separate database and transfer complete data sets. Only the abstract data categories such as "name", "bank details", "religious affiliation" and not "Max Müller", "IBAN DE75...", "catholic" are required. For employee data, for example, this means that not all employees have to be listed here, but only the higher-level data categories that stand for the recorded data of each employee.
The directory should be maintained in German and be up to date. In order to be able to prove to the supervisory authorities that updates have been made, changes should not be made by rewriting; rather, old entries should continue to be available and the changes should be traceable. It is recommended that a period of at least one year should be used to map the corresponding changes.