One of the new requirements of the General Data Protection Regulation (#GDPR) is the ‘#Register’ of all (non-)automated processing of personal data activities. What the structure and which information must it contain?
The German Data Authority has released the ‘Hinweise zum Verzeichn is von Verarbeitungstätigkeiten, Art. 30 DS – GVO’ document that explain the structure, content, and the motivation of the structure for the GDPR ‘Register’.
Because I do not expect you to know all of the GDPR’s articles, I have (slanted in brackets) briefly summarized the article purpose. Be also aware of the fact that the document represent the translated opinion of the German Data Protection Authority.
1) Purpose of the ‘Register’:
The purpose is set out in recital 82 (to demonstrate compliance with this Regulation) to Article 30 (Records of processing activities) of the GDPR.
According to this, the person responsible and the contractor for the purpose of verifying compliance with this Regulation are to keep a ‘Register’ of the processing activities which are subject to its jurisdiction.
This directory applies to all or part of automated processing and non-automated processing of personal data stored or stored in a file system.
Each person responsible for the contract and the contractor is obliged to cooperate with the supervisory authority and to provide the supervisor with the corresponding ‘Register’ on request, so that the processing operations concerned can be controlled by these directories.
The new regulation in Article 30 (Records of processing activities) requires not only every responsible person within the meaning of Art. 4.7 (including authorities as well as companies, freelancers, associations) but also contractors Within the meaning of Article 4.8 (‘processor’) of the GDPR, to draw up and maintain such a ‘Register’.
The regulation of Article 30 (Records of processing activities) also refers in each case to the representative within the meaning of Article 4.17 (‘representative’).
The content and scope of the ‘Register’ shall be differentiated according to the type and size of the place of a responsible person or contract processor, depending on the minimum requirements according of processing activities under its responsibility (Article 30.1 Records of processing activities content).
In addition, the directory can also be used or used in addition to the documentation itself:
- For a determination of the processing purposes pursuant to Article 5.1.b (collected for specified, explicit and legitimate purposes),
- For purposes of accountability and documentation, Article 5.2 (to demonstrate compliance), Article 24 (Responsibility of the controller),
- As a suitable measure for the fulfillment of the rights concerned pursuant to Article 12.1 (appropriate measures to provide any information),
- To establish and demonstrate appropriate technical and organizational measures pursuant to Article 24.1 (controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation) and Article 32 (Security of processing),
- To examine whether a data protection assessment according to Article 35 (Data protection impact assessment) must be carried out
- As the basis for fulfilling the tasks of the Data Protection Supervisor pursuant to Article 39 (Tasks of the data protection officer).
For this, additional information is necessarily required in the directory, eg individual data fields, origin or source of the data, legal basis for the processing, responsible employees, persons or groups of persons entitled to access, etc.
Thus in practice the list will often have to consist of a number of individual descriptions because of the differences in the procedures used.
2) Submission of the ‘Register’
The ‘Register’ of processing activities must be made available to the supervisory authority on request, Article 30.4 (by the controller or the processor) and Recital 82 (to demonstrate compliance with this Regulation).
The aim is that the supervisory authority can control the processing operations on the basis of these ‘Register’.
The reporting obligations, which are based on the Directive 95/46/EC, are no longer applicable to the supervisory authority, Recital 89 (general obligation to notify the processing of personal data to the supervisory authorities).
3) Form of the ‘Register’
4) Language of the Registry
The ‘Register’ are to be kept and maintain and (must take place in the language or languages used by the supervisory authorities and the data subjects concerned.) [Working Paper (WP) 243 of the Article 29 Group (Guidelines on the Data Protection Supervisor) According to the GDPR, WP 243, point 2.3)].
At least the organization must be able to submit immediately the requested directories to the supervisory authority [Article 30.4 (by the controller or the processor) and Recital 82 (to demonstrate compliance with this Regulation)].
5) Written the ‘Register’y – Electronically
The ‘Register’ are to be kept in writing pursuant to Article 30.3 (shall be in writing, including in electronic form). The supervisory authority can independently define the format of the submission (in writing in paper form or electronically in text form) and therefore also require an expression in an electronic format.
The proportionality and the necessity for the supervisory purposes pursued (for example, only the required part is printed out) is the yardstick.
6) Updating the ‘Register’ – Change History
In order to be able to make changes to the entries in the ‘Register’ (for example, who was responsible, data protection officer, etc.), documentation of the changes should be made with a longer storage period.
This can also be inferred from the principle of accountability under Article 5.2 (The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)).
7) Registry Exceptions: Employment with fewer than 250 employees
No list of processing activities must be carried out under Article 30.5 (Exceptions to maintain a ‘Register’) responsible persons and contract processors with fewer than 250 employees, unless the person responsible or the order processor carries out processing of personal data,
- A risk to the rights and freedoms of the persons concerned (eg creditworthiness procedures, fraud prevention proceedings);
- Specific data categories in accordance with Article 9.1 (religious data, health data, biometric data for unambiguous identification, etc.) or on criminal convictions and offenses within the meaning of Article 10 (Processing of personal data relating to criminal convictions and offences).
- Not only occasionally (all other processing, eg payroll accounting, customer data management, IT / Internet / e-mail logging, school notes).
The obligation to maintain a ‘Register’ of processing activities therefore already exists if at least one of the three case groups is fulfilled. Because of the regularly occurring payroll accounts, companies will generally be exempted from the duty of such a ‘Register’, at most companies which carry out these activities completely through a tax consultant as well as possibly smaller clubs. In addition, in the case of wage billing or in the student administration with the indication of the confession affiliation, particular data categories Article 9.1 (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation).
The term “not only occasional” can be interpreted by means of the Guidelines on the Data Protection Supervisor according to the GDPR of the Article 29-Group (WP 243). According to para. 2.1.4, the term “regular” applies if at least one of the following characteristics is fulfilled:
- Continuously or at certain intervals during a particular period of time
- Repeatedly or repeatedly at certain times
- Constantly or regularly.
Processes that pose a risk to the rights and freedoms of the persons concerned may, e.g. be:
- video surveillance,
- Creditworthiness and fraud prevention procedures,
- Locating of employees (for example by means of GPS),
- Processes in which communication content is affected
Conclusion: It is to be assumed that the exceptions only rarely reach, so also the conceptions of the previously published literature.
8) Content of the list – person responsible, Art. 30.1.
The list shall contain all the information enumeratively specified in Article 30 (1) (2) (a) to (g) of the GDPR. These must be meaningful, which also depends on the size of the company.
Useful and recommendable with an “extended directory” are the following details:
- Description of the specific processing activities as defined in Article 4.2 (‘Processing’, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, etc.)
- (Eg Article 6 (Lawfulness of processing), employment contract, company agreement, effective consent, special statutory regulation, etc.).
Names and contact details – Art. 30 para. 1 p. 2 lit. a
- Names and contact details
- Of the person responsible Article 4.7 (the ‘controller’),
- Of a person who may be jointly responsible (Article 26 ‘Joint controllers’),
- A representative, if any, of persons responsible in third countries (Article 4.17 (‘representative’), Article 27 (Representatives of controllers or processors not established in the Union) of the GDPR,
- Of a possible data protection officer.
Postal, electronic and telephone accessibility is to be provided in order to ensure that the supervisory authority can reach the responsible person in a simple way (and in emergency cases also via different channels) (see WP 243, point 2.5 Publication and communication of the DPO’s contact details ).
Regulatory authorities and legal persons are not required to provide data on management personnel; from the point of view of the supervisory authorities, it is desirable to specify the responsible contact person.
With regard to the main branch, this is within the meaning of Article 4.16.a (Processing Manager in more than one Member State).
With regard to the term ‘representative’, the definition of Article 4.17 (‘representative’) of the GDPR is to be observed, according to which ‘representative’ is not only the domestic representative, but also a natural or legal person established in the EU.
Purpose of processing – Article 30.1.b (purposes of the processing)
Divided into individual directories such as:
- Personnel records management / Master Data
- Wage, salary and remuneration
- Holiday file
- IT / Internet / E-Mail usage logs
- application process
- Telephone Data Collection
- Company car park management
- Video surveillance in workplaces, schools etc.
- Student management, teaching scheduling, certification
- Procurement / Purchasing as well as Financial Accounting
- Application processing (building applications, applications for housing applications, etc.)
- Council and Citizen Information Systems)
- Reporting system (reporting ‘Register’)
- Registration and registrations
- Options (dialup directory)
- Medical examinations
- Pregnant women and mothers advice,
- Recording and monitoring non-academic medical professions,
The purpose shall be defined for each processing.
The purposes must be clear and transparent in order to enable the supervisory authority to examine the adequacy of the protective measures taken and the admissibility of the processing.
Categories of affected persons & personenbez. Data – Art. 30 para. 1 p. 2 lit. c
Description of categories of affected persons and the categories of personal data.
In this case, it is advisable to assign consecutive numbers with regard to the individual categories of personal data, which can thus be assigned to the further specific data according to the invention. Article 30 para. 1 sentence 2 lit. d to f GDPRs, e.g. To specific deletion rules.
For example, Eg in the representation of the “category of employees” in the data categories:
- Employee Master Data
- With address data, date of birth, bank connection, tax characteristics, wage group, working hours, previous areas of activity, qualifications, etc.
- Applications with contact data, qualification data, activities, etc.
- Working documents with address data, performance data, assessment data, etc.
- Warnings with address data, work behavior, performance data, etc.
- Medical examination with address data, health data, etc. Timetable as a deployment plan for teachers
- Video surveillance at workstations, etc.
For example, Eg in the representation of the category “customer data” into the categories:
- Customer contact data with address data, contacts, etc.
- Customer group / -interested
- Sales data so far
- credit information
- Payment data etc.
- For schools: Absenteeism, school performance certificates
For example, For example, in the category “Deputies of Membership” in the categories:
- Names and contact details (address, telephone, e-mail) of deputies
- Group membership
Categories of beneficiaries – Art. 30 para. 1 p. 2 lit. d
Indicate the categories of recipients to whom the data has been disclosed or is still being disclosed, including recipients in third countries.
For example, Eg for wage and salary:
- social Security Institutions
- tax offices
- Other data recipients (for example, works council, technical supervisor)
- If applicable, creditor for wage / salary mortgages
- If applicable, bearers of the company pension
- If necessary, order processor
- Possibly parent company
Recipients can also be parts of a company or a department. This is the case, provided access to the data is possible (for example, access to company or customer data at banks operating nationwide, or the issuing and receiving school at the same school).
The term “data recipient” should therefore be supplemented by “access rights”.
The access rights should be indicated as before, without name. However, e.g. Can be unambiguously determinable via a role or function description. However, e.g. At the o.g. Access to the data on the branch side, it is useful to specify the number of access points or access rights with respect to the current status (date).
A statement should be made to “third countries”, which should also be indicated if a transfer to third countries does not take place and is not planned.
A transfer to third countries also takes place if the server is located there or the mailing is handled there. Similarly, a transfer to third countries may be provided if support services are provided by the latter.
“Disclosure” means that both the recipients in the past, as well as those in the future are to be named.
Transmissions to third countries – Art. 30 para. 1 p. 2 lit. e
Where appropriate, transfers of personal data to a third country or to an international organization, including the third country or international organization concerned, as well as the documentation of appropriate guarantees for the data transmissions referred to in the second subparagraph of Article 49.1 (Derogations for specific situations)
Recipients in third countries and international organizations are not categories and therefore have to be specified in detail.
Article 49.6 (assessment as well as the suitable safeguards) of the GDPR is to be observed, according to which the person responsible takes up the appraisal and the appropriate guarantees within the meaning of the second subparagraph of Article 49.1 (Derogations for specific situations) in the list of processing activities.
Period of storage – Art. 30.1.f (time limits for erasure)
Indication of the deadlines for the deletion of the various categories of data, B.
- The applicable trading and tax retention requirements for personal data, customer data, etc.
- Valid retention and deletion periods for student data, examination documents, etc.
- Legally stipulated deletion periods
- By the responsible person
A general reference to retention requirements is not sufficient, but precise information is required.
Technical and organizational measures – Article 30 (1) (2) lit. G
General description of the technical and organizational measures according to Art. 32.1.
Processing may not take place before the person responsible has complied with his duty under Article 32 (Security of processing). Therefore, it can be assumed that the documentation can not dispense with a concrete description.
The compulsory details of the directory must be easy to understand.
References to existing documents are possible. For larger companies, a reference to already existing documentation and safety concepts (for example, the standard data protection model (SDM)) may be sufficient, without these being shown here in full.
The areas of application mentioned in Article 32.1 (Appropriate technical and organizational measures) essentially correspond to the previous catalog of technical and organizational measures (TOMs).
The description of the respective measure is specific to the category of persons concerned or personal data Article 30.1 sentence 2 lit. c ().
In this connection, reference is also made to the use of the SDM.
Where specific types of personal data are concerned, a careful selection of technical and organizational measures is required. According to Article 32.1 (Appropriate technical and organizational measures) must be taken in particular to ensure:
Areas of application according to Art. 32.1 (Appropriate technical and organizational measures):
- Pseudonymization of personal data
- Encryption of personal data
- Ensuring the confidentiality of systems and services
- Ensuring the integrity of systems and services
- Ensuring the availability of systems and services
- Ensuring the resilience of systems and services
- Restore the availability of personal data and access to them after a physical or technical incident
- Procedures for periodic review, evaluation and evaluation of the effectiveness of the above mentioned measures
- Measures for the pseudonymization of personal data This includes:
- Separation of customer master data and customer sales data
- Separation of patient contact data and treatment data / findings, etc
- Use of personnel, customer, patient identifiers instead of names
- Measures for the encryption of personal data (Eg in stationary and mobile storage / processing media, in electronic transport).
- Which includes:
- Symmetric encryption
- Asymmetric encryption
- Measures to ensure the confidentiality of the systems and services which are intended to prevent unauthorized access or access to personal data, to the person responsible or to the transport route to contract processors or third parties.
- ingress access control
- access to control
- Relay control
- separation control
- Measures to ensure the integrity of systems and services, which ensure that personal data can not be changed (without notice).
- entry control
- As well as, in particular, organizational and technical safeguarding of authorizations, logging formats, protocol evaluations / revision etc.
- Measures to ensure the availability of the systems, Services that ensure that personal data are available permanently and without restriction, and in particular when they are needed.
- Availability control
- job control
- Measures to ensure the resilience of the systems, Services that ensure that the systems and services are designed so that even high loads or high continuous loads of processing remain affordable.
- Refers in particular to memory, access and line capacities
- Measures to quickly restore the availability of personal data and access to them after a physical or technical incident.
- Backup concept
- Redundant data storage
- Cloud services
- Double IT infrastructure
- Shadow data center
- Procedures for periodic inspection, evaluation and evaluation of the effectiveness of the above mentioned measures.
- Development of a security concept
- Audits of the DSB, the IT revision
- External audits, audits, certifications
9) ‘Register’ content – Contractual Processor, Article 30.2
Each contract processor and his representative, as defined in Article 4.17 (‘representative’), shall keep a list of all categories of processing carried out on behalf of a responsible person.
The list contains all the information enumeratively referred to in Article 30.2 [each processor’s (representative) shall maintain a record of all categories of processing activities] (a) to (d) of the GDPR and forms an order catalog with details of the contracting entities and subcontractors.
In doing so, a subcontractor must name only his direct customers and not the other chain behind it, up to the responsible persons.
For the explanations and definitions, please refer to the comments on Chapters 1 to 6.
Names and contact details – Article 30.2.a (name and contact details of the processor or processors)
Names and contact details
- The order processor, possibly several Article 4.8 (‘processor’)
- Name and contact details of a representative of the contractor Art. 4.17 (‘representative’) or Article 27 (Representatives of controllers or processors not established in the Union)
- Each responsible Independent Software Vendor person Art. 4.7 (‘controller’), on whose behalf the order processor works
- Name and contact details of a representative of the person responsible in the meaning of Art. 4.17 (‘representative’) in conjunction with Article 27 GDPR
- Of a possible data protection officer
10) Description of the processing – Article 30.2.b
Description of the categories of processing carried out on behalf of each responsible person.
The order code must be differentiated according to the individual orders, eg:
- Financial Accounting
- email database
- Acceptance of the company / administrative telephone system
- Advertising address processing
- Scanning of company / official documents
- Support / Maintenance Service
- Calculator service with support and data backup, for which the customer alone defines the purpose and the processing
- Archiving of data
- Deletion and disposal of data carriers
- learning platform
- Data processing in an external data center
11) Transmissions to third countries – Article 30.2.c.
Where appropriate, transfers of personal data to a third country or to an international organization, including the third country or international organization concerned, as well as the appropriate guarantees referred to in the second subparagraph of Article 49.1. (Derogations for specific situations).
- Presentation as in Article 30.1.e (suitable safeguards)
- With details of the specific data recipients in the third country
12) Technical-organizational measure – Article 30.2.d.
General description of the technical and organizational measures in accordance with Article 32.1 (Appropriate technical and organizational measures).
With regard to the explanatory notes and definitions, reference is made to the comments on
Article 30.1 sentence 2.g (general description of the technical and organizational security measures)
13) Consequences of infringement – Art. 83.4.a
- Missing or incomplete management of a list of all processing activities, or
- Failure to submit the list upon request by the supervisory authority
Are imposed with fines of up to € 10,000,000 or, in the case of an enterprise, up to 2% of the total annual turnover of the preceding financial year, whichever is higher.
14) Legal basis
Article 30 – ‘Register’ of processing activities
Each responsible person and, where appropriate, his representative shall keep a list of all processing activities which are subject to their jurisdiction. This directory shall contain all the following information:
- the name and contact details of the person responsible and, where appropriate, the person in charge, the representative of the person responsible and any data protection officer;
- the purposes of processing;
- a description of the categories of persons concerned and the categories of personal data;
- the categories of recipients against which the personal data have been disclosed or disclosed, including recipients in third countries or international organizations;
- where appropriate, transfers of personal data to a third country or to an international organization, including the name of the third country or international organization concerned, and the documentation of appropriate safeguards in the case of data transmissions referred to in the second subparagraph of Article 491 (Derogations for specific situations);
- where possible, the deadlines for the deletion of the various data categories;
- where possible, a general description of the technical and organizational measure referred to in Article 32.1 (Appropriate technical and organizational measures).
- Each contractor and, where appropriate, his representative shall keep a ‘Register’.
- All categories of processing carried out on behalf of a responsible person, including:
- the name and contact details of the contractor or contractors and any responsible person on whose behalf the contractor is working, as well as, where appropriate, the representative of the person responsible or the contractor and any data protection officer;
- the categories of processing carried out on behalf of each responsible person;
- where appropriate, transfers of personal data to a third country or international organization, including the indication of the third country or international organization concerned, as well as the appropriate safeguards for the data transmissions referred to in the second subparagraph of Article 49.1 (Derogations for specific situations);
- where possible, a general description of the technical and organizational measure referred to in Article 32.1 (Appropriate technical and organizational measures).
- The list referred to in paragraphs 1 and 2 shall be kept in writing, which may also be in an electronic format.
- The responsible person or the order processor, as well as the representative of the person responsible or the contractor, shall provide the supervisory authority with the ‘Register’ on request.
- The obligations referred to in paragraphs 1 and 2 shall not apply to undertakings or establishments employing less than 250 staff, provided that the processing which they carry out does not pose a risk to the rights and freedoms of the persons concerned Or the processing of particular categories of data as referred to in Article 9.1 (Processing of special categories of personal data) or
- Processing of personal data on criminal convictions and offenses within the meaning of Article 10. (Processing of personal data relating to criminal convictions and offences)