GDPR: Maintain processing directory - you need to know that
Related Videos: GDPR | How to use the Privacy Impact Assessment software ? (May 2024).
The GDPR requires almost every company to create a processing directory. We have summarized here what you need to know.
GDPR: Who has to keep a processing directory?
The GDPR is not clearly formulated in all points. Some areas allow room for interpretation.
- According to Art. 30 Para. 5 GDPR, companies with less than 250 employees do not actually have to keep a processing directory. However, this statement is limited by exceptions.
- If you process personal data more than "occasionally", you must keep such a directory, even if the company has only a few employees. However, the law does not elaborate on exactly what "occasionally" means.
- Companies are also required to maintain the directory if the data is particularly sensitive. This is the case, for example, with health data or criminal convictions. For example, doctors or lawyers are affected.
- If the data poses a risk to the rights and freedoms of the data subjects, you must also keep a processing directory. This is the case, for example, with evaluations and profiling.
- For example, if you maintain a supplier or customer database or manage employee data, data protection law obliges you to maintain a processing directory.
- You can therefore assume that the exemption from the documentation requirement only applies very rarely.
- By the way, we explain in detail what the General Data Protection Regulation is in another practical tip.
Data protection: This must include the GDPR processing directory
Article 30 of the GDPR specifies the minimum requirements that a processing directory must meet.
- First of all, the directory must contain the name and contact details of the person responsible.
- In addition, the purpose of the processing must be stated and the categories of the data subjects and the categories of personal data must be described.
- The categories of recipients to whom the personal data are disclosed must also be listed.
- In addition, the processing directory must inform about the deadlines for deleting the individual data categories.
- If possible, the documentation requirement also includes a description of the organizational and technical measures that are used to collect the data.
- You can find a template for creating the processing directory at the professional association of data protection officers in Germany, for example.
So that you as the website operator know what you need to consider, you will find a GDPR checklist in our next practical tip.