Gleanings: GDPR Workshop - The Directory of Processing Activities with Template

Due to the great demand of our customers and interested parties on the topic of GDPR and Directory of Procedures, SEC4YOU offered a GDPR workshop in November 2017, which specifically highlights the implementation of GDPR measures and offers affected companies the opportunity to start directly at the workshop with the measures or to support their own project with templates and decision bases.

The workshop was aimed at public and private companies from all sectors that process or store personal data. Contrary to the widespread opinion that the GDPR only applies to large companies, this question was answered conclusively by workshop leader Manfred Scholz as well as by two lawyers present:

The GDPR affects all companies that process personal data — regardless of company size and legal form — as of 25.5.2018!

After explaining the history of the GDPR and the position of Austria in the European vote, the participants agreed on the essential components of the GDPR implementation. As an important task within the GDPR measures, the new requirement of keeping a register of processing activities in Austria was discussed.

Directory of processing activities by means of software?

Contrary to the opinion of individual providers, a software tool for maintaining the directory of processing activities should not be in the foreground of a GDPR project, as the initial creation can usually be done in Excel or Word for small and medium-sized companies. In large companies, or if the maintenance effort for keeping and regularly checking or revising the directory is to be done by several employees or in distributed companies, the introduction of a special tool can also save costs.

The Directory of Processing Activities — DSGVO VV

As has been customary in German data protection for over 10 years as a “procedural directory” or “procedural overview”, the GDPR now also requires companies to maintain a directory of processing activities. Experts see a difference here to the DSG 2000 where in Austria a basic obligation to report certain data applications in the data protection register is required (until May 2018) or was required (from May 2018).

An important feature of a procedure directory is that the data-processing company processes are recorded and not the applications themselves.

=> What therefore does not belong in a directory of processing activities? e.g. MS CRM, Excel or Exchange.

The important contents of the directory of processing activities have been summarized.

In the role of the controller must be recorded:

Name and contact details of the controller, if applicable joint controller or a representative (EU).
Name and contact details of the data protection officer
Purpose of the processing
Categories of data subjects
Categories of personal data
Categories of recipients
Transfer to third countries (guarantees, if applicable)
Deletion periods
General description of technical and organizational measures (TOM according to Art 32 para.1).

On the other hand, processors have the following recording obligations:

Name and contact details of the data controller, joint data controller or representative (EU), if applicable.
Name and contact details of the data protection officer
Categories of processing
Transfer to third countries (guarantees, if applicable)
General description of technical and organizational measures (TOM according to Art 32 para.1)

In the last part of the workshop, exemplary examples were presented how a directory of procedures looks like and the SEC4YOU template V1.1 of the directory of processing activities was presented.

Contents of the workshop

This is the recording of the workshop contents without sound.

Gleanings: GDPR Workshop — The Directory of Processing Activities with Template