How do I do the directory submission

Directory of processing activities (VVT) simply explained - with tips and checklists

The General Data Protection Regulation (GDPR) requires companies to keep a record of processing activities (Art. 30 GDPR). This directory is similar to the so-called procedure directory of the old Federal Data Protection Act (BDSG-old). Anyone who already kept a directory of procedures before the GDPR came into force can use this as the basis to build up and further develop the directory of processing activities. This article aims in particular to clarify who has to use a VVT, what belongs in a VVT and how it is structured. It also contains practical tips, examples and a checklist for a successful listing of processing activities.

Who is obliged and when does a VVT have to be drawn up?

The most important question is first of all who has to create a list of processing activities and submit it to the supervisory authority when requested. A distinction must be made between which data processing is required and which persons and companies are obliged to keep a VVT.

In principle, all procedures in which personal data are processed belong in the directory of processing activities. It is part of a successful data protection management system. Personal data are those that relate to a natural person and at least make them identifiable. Personal data are, for example, the name and address of a person, but also their IP address.

Article 30 GDPR assumes that in such cases a VVT must be created. Both the person responsible for data processing operations and a possible processor must create such a directory according to the General Data Protection Regulation.

The person responsible is the person who, alone or jointly with others, decides on the purposes and means of processing personal data. Processor is whoever processes personal data on behalf of the person responsible, whereby the person responsible determines the means and purposes of the processing. The processor has no decision-making authority over the data and does not pursue its own business purposes with them; for example, these are cloud providers or call centers.

When is one exempt from duty?

A limited exception is made to the obligation to keep a record of processing activities for institutions with fewer than 250 employees (Art. 30 (5) GDPR). The following restrictions are attached to this exception:

  • There must be no risk to the rights and freedoms of the data subject (e.g. video surveillance).
  • Processing may only take place occasionally.
  • No processing of personal data of the special categories according to Art. 9 GDPR may take place (e.g. health data).

Due to these restrictions, companies with fewer than 250 employees will hardly be able to exempt themselves from the obligation to create a VVT. Because most processing activities are not just done occasionally, but regularly, such as keeping personnel files, managing a customer database or sending newsletters. That is why, as a rule, many self-employed, tradespeople and medical practices, for example, are obliged to run a VVT.
It should be noted that in most companies a directory of processing activities is required.

What if I don't have a VVT or it is incomplete?

A look at Article 83 GDPR shows why a VVT is important and should not be underestimated: There, if the list of processing activities is missing or incomplete or not presented, i.e. a violation of Article 30 GDPR, a fine of up to 10 million . Euros or threatened with companies up to 2 percent of the total worldwide annual turnover.
That is why: The VVT ​​should not be underestimated, but should be given special attention!

How is the VVT ​​roughly structured?

The directory of processing activities is ideally divided into two higher-level blocks:

  • Names and contact details
  • The individual processing activities

In the following we will mainly deal with the VVT ​​for those responsible. For processors, the requirements for the directory of processing activities are generally somewhat lower.

How do I start the VVT?

The VVT ​​begins with the names and contact details of the person responsible and his representative.
Should the person responsible decide jointly with another person on the purposes and means of data processing, these other persons responsible must also be listed with their names and contact details and linked to the corresponding processing activity.
Joint responsibility ("joint control") exists, for example, when an employer works with a recruiting service provider who sifts through for this applicant and, if necessary, holds initial interviews. However, according to case law, it can also apply to the operator of a Facebook fan page.

In addition, if a data protection officer has been appointed, his name and contact details must be listed in the list of processing activities.
Incidentally, a data protection officer is necessary if at least 10 people are constantly involved in the automated processing of personal data or - to put it simply - the company's core activity comprises the processing of personal data. The core activity of an online shop, for example, is sales, while credit agencies process personal data in their core activity. You can find out more about typical questions about data protection officers and the biggest GDPR myths in another blog article.

Processors must provide the names and contact details of themselves and their representatives, all clients and their representatives, and any data protection officer.

Read more on the topic:

Efficient data protection through data protection management systems
Video surveillance and data protection: what really matters

What are processing activities and which are there?

A processing activity is a process in which personal data is processed for one or more purposes. Processing is understood to mean any process carried out with or without the help of automated procedures in connection with personal data.

The General Data Protection Regulation cites the following examples in particular: collecting, recording, organizing, sorting, saving, adapting, changing, reading out, querying, using, transmitting, disseminating, providing, comparing or linking data.

If you want to start recording the individual processing activities, you first have to be aware of which ones actually exist in the company. It can be helpful to divide the company into organizational areas in advance and then work through each area one after the other.

To this end, it must also be clarified which software is used and which of it personal data is processed automatically, for example. US service providers are also often used as processors. Both of these must not be forgotten when listing the processing activities.

Typical processing processes that actually occur in every company are for example:

  • Human resource management
  • Payroll
  • Applicant management

It can also make sense to divide the processing activities into higher-level groups, for example:

  • accounting
  • staff
  • marketing
  • Customers
  • IT

Then the list of processing activities becomes clearer. It should be based on the structure and complexity of the company and be structured.

What information belongs to the individual processing activities?

The content and the required details of the individual processing activities result for the person responsible from Art. 30 Para. 1 GDPR. Accordingly, every processing activity includes:

  • Purposes of processing
  • Categories of data subjects (e.g. employees, applicants, customers, patients, minors)
  • Categories of personal data (e.g. contact details, address data, sales data), in particular whether there are special categories (e.g. health data)
  • Categories of recipients of personal data (e.g. for wages and salaries: banks, social security agencies, tax office)
  • Specification of the third country or international organization in the case of transfers to non-EU countries, possibly including suitable guarantees of an equivalent level of data protection
  • Deletion periods, also taking into account retention obligations
  • Description of the technical and organizational measures (TOMs) and / or reference to the existing security concept with TOMs

It can be helpful to refer to existing documents within the VVT, such as a data protection concept, an overview of the technical and organizational measures (security concept), a data protection impact assessment or a deletion concept, which already contain information for the VVT.

In contrast, instead of the purposes of processing and categories of persons, data and recipients, processors only have to list the categories of processing carried out on behalf of a controller (Art. 30 (2) GDPR). In addition, you do not have to have any deletion periods in your VVT.

In what form and language does the VVT ​​have to be kept?

The list of processing activities must be kept in writing, including an electronic format such as an Excel spreadsheet. However, if the VVT ​​has to be presented, the supervisory authority can decide whether to request it electronically or in print. The VVT ​​must be in German.

How often does the VVT ​​have to be updated and checked?

The VVT ​​must be regularly maintained and kept up to date. Whenever a new processing activity with personal data is added, the list of processing activities must also be updated. In addition, the VVT ​​should also be checked at regular intervals to ensure that all entries are up to date. A good data protection management system (DSMS) is also helpful and useful for this.

In addition, the data protection conference recommends that changes in the VVT ​​be made traceable with a storage period of one year in order to comply with the accountability under the GDPR. This is especially important if, for example, the person responsible has changed in the meantime.

Why is a VVT also useful?

In addition to the legal obligation to keep a record of processing activities and to make it available to the supervisory authority upon request, the VVT ​​also helps when data subjects assert their rights to information. It also helps to keep the data protection declaration complete, for example on a website, by comparing which processing operations exist. This makes it easier to meet the information requirements.

What is an example of a processing activity in the VVT?

In the following, a typical processing activity in the VVT ​​is shown using an example of application management:

  • Purpose: Recruiting (finding and selecting suitable applicants)
  • Categories of personal data: first name, surname, address data, contact data, data on performance and skills, application documents (cover letter, curriculum vitae, certificates)
  • Data Subject Categories: Applicants
  • Categories of recipients: Human Resources, Works Council
  • Transmission to third countries or international organizations: none
  • Deletion periods: up to 6 months after the end of the application process or 2 years if you consent to further storage in the applicant data pool
  • Technical and organizational measures (TOMs): see security concept

Checklist - thought of everything?

  • Am I responsible or processor?
  • Do I need a VVT or do I fall under the exception?
  • Do I give the names and contact details of all required persons?
  • Have I listed all processing activities of my company in the VVT?
  • As the person responsible: Do I indicate the purposes of the processing, the categories of data subjects, data and recipients? Do I give deletion periods? Do I process data of the special categories (Art. 9 GDPR)?
  • As a processor: do I specify the categories of processing?
  • Do I transfer data to non-EU countries, for example by using US service providers, and do this in the VVT?
  • Are the TOMs described and / or referenced to a security concept?
  • Is the VVT ​​also available in German and can it be printed out in case of doubt?
  • Do I update and check the VVT ​​regularly?

Anyone who is unsure whether and how to create a directory of processing activities (VVT) should seek professional advice in case of doubt. We can move you forward with our in-house sample directory and contribute to successful data protection management. The IT and legal experts at ISiCO Datenschutz GmbH have many years of experience in creating VVTs. Our clients come to us from many different industries - trust us too! We look forward to working with you on all data protection issues!