Pursuant to Art. 30, the DSGVO requires the responsible bodies to draw up a so-called processing directory in which all processing activities involving personal data are recorded.
This is by far one of the most important documents in the entire DSGVO because it concerns all companies. As soon as an enterprise processes personal data, it is required to document these processes neatly in this register. Of course, this also applies to contract processors. Although many claim that the creation only concerns companies with more than 250 employees, this exception only applies if the processing of personal data is only occasional. However, this is only rarely the case. If special categories of data are involved, such as health data, religion or the like, the obligation to create and maintain a processing register applies anyway.
What does such a processing directory look like?
The companies themselves are responsible for the design of this document. However, the content must contain the compulsory information required by the DSGVO. Typically, a clearly structured form is chosen in order to record all processing operations according to the same scheme and to be able to make any changes quickly. It is therefore recommended to provide the processing directory (VVT) in digital form.
The structure is limited to three parts, the cover sheet, the main part and a further part. The cover sheet contains the necessary information about the company and the responsible data protection officer, whether internal or external. The main section summarizes the individual data processing processes. Here, each individual process is documented in detail. Components include the names of the processes (e.g. payroll accounting), the purpose of the processing, a description of the category of personal data processed, the recipients of the data, the deadlines for deletion and, if applicable, the naming of the companies in the case of transfer to a third country.
The third part covers the technical and organizational measures (TOM). These consist of individual sub-areas such as work instructions or IT security and serve to document that appropriate data protection measures have been taken.
What happens if you ignore it?
The DSGVO punishes infringements with high penalties, but these are proportionate. Depending on the seriousness of the DSGVO violation, companies are threatened with a fine of up to 20 million euros or 4% of annual turnover, whichever of the penalties is the higher. However, such extents are intended for giants and not for the general public. Nevertheless, the fines should be high enough to act as a deterrent. The first sanctions have already been imposed. It remains to be seen how hard the next violations will be punished.