Due to the great demand of our customers and interested parties on the topic of GDPR and Directory of Procedures, SEC4YOU offered a GDPR workshop in November 2017, which specifically highlights the implementation of GDPR measures and offers affected companies the opportunity to start directly at the workshop with the measures or to support their own project with templates and decision bases.
The workshop was aimed at public and private companies from all sectors that process or store personal data. Contrary to the widespread opinion that the GDPR only applies to large companies, this question was answered conclusively by workshop leader Manfred Scholz as well as by two lawyers present:
The GDPR affects all companies that process personal data — regardless of company size and legal form — as of 25.5.2018!
After explaining the history of the GDPR and the position of Austria in the European vote, the participants agreed on the essential components of the GDPR implementation. As an important task within the GDPR measures, the new requirement of keeping a register of processing activities in Austria was discussed.
Directory of processing activities by means of software?
Contrary to the opinion of individual providers, a software tool for maintaining the directory of processing activities should not be in the foreground of a GDPR project, as the initial creation can usually be done in Excel or Word for small and medium-sized companies. In large companies, or if the maintenance effort for keeping and regularly checking or revising the directory is to be done by several employees or in distributed companies, the introduction of a special tool can also save costs.
The Directory of Processing Activities — DSGVO VV
As has been customary in German data protection for over 10 years as a “procedural directory” or “procedural overview”, the GDPR now also requires companies to maintain a directory of processing activities. Experts see a difference here to the DSG 2000 where in Austria a basic obligation to report certain data applications in the data protection register is required (until May 2018) or was required (from May 2018).
An important feature of a procedure directory is that the data-processing company processes are recorded and not the applications themselves.
=> What therefore does not belong in a directory of processing activities? e.g. MS CRM, Excel or Exchange.
The important contents of the directory of processing activities have been summarized.
In the role of the controller must be recorded:
- Name and contact details of the controller, if applicable joint controller or a representative (EU).
- Name and contact details of the data protection officer
- Purpose of the processing
- Categories of data subjects
- Categories of personal data
- Categories of recipients
- Transfer to third countries (guarantees, if applicable)
- Deletion periods
- General description of technical and organizational measures (TOM according to Art 32 para.1).
On the other hand, processors have the following recording obligations:
- Name and contact details of the data controller, joint data controller or representative (EU), if applicable.
- Name and contact details of the data protection officer
- Categories of processing
- Transfer to third countries (guarantees, if applicable)
- General description of technical and organizational measures (TOM according to Art 32 para.1)
In the last part of the workshop, exemplary examples were presented how a directory of procedures looks like and the SEC4YOU template V1.1 of the directory of processing activities was presented.
Contents of the workshop
This is the recording of the workshop contents without sound.
Further articles on the topic of data protection / DSGVO
Datenschutzgrundverordnung (DSGVO) Prüfungsansätze und Auswirkungen auf die Tätigkeiten der Internen Revision
Von 21. bis 22. Jänner 2019 findet am Akademie Interne Revision in Wien eine Schulung zum Thema Datenschutzgrundverordnung (DSGVO) Prüfungsansätze und Auswirkungen auf die Tätigkeiten der Internen Revision statt. […]
kostenfreier DSGVO Workshop “Was & Wie” am 25.04.2018 — Prüfungsansätze zum Nachweis der Rechenschaftspflicht
6. Termin: Prüfungsansätze zum Nachweis der Rechenschaftspflicht Zur Vorbereitung auf die Datenschutz-Grundverordnung bietet SEC4YOU eine Veranstaltungsreihe an, die das Was und Wie in den Vordergrund stellt. Im letzten […]
kostenfreier DSGVO Workshop “Was & Wie” am 21.03.2018 — Risikoanalyse als Vorstufe zur Datenschutz-Folgenabschätzung
5. Termin: Risikoanalyse als Vorstufe zur Datenschutz-Folgenabschätzung Zur Vorbereitung auf die Datenschutz-Grundverordnung bietet SEC4YOU eine Veranstaltungsreihe an, die das Was und Wie in den Vordergrund stellt. Dieses Mal […]
kostenfreie Datenschutz Awareness Training Inhalte
Immer häufiger werden wir gefragt wie man Datenschutz und die Anforderungen der DSGVO schulen kann. Für interne Datenschutzbeauftragte (DSB) oder, wenn man keinen DSB hat, für den internen […]
DSGVO “Was und Wie” Workshop — SEC4YOU Präsentationen als Nachlese
Das Verzeichnis der Verarbeitungstätigkeiten gemäß Artikel 30 (ohne Ton) Video Präsentation unseres DSGVO Workshop in Wien vom 7. November 2017 Dieses Video ist die Präsentationsaufzeichnung unserer DSGVO “Was […]
kostenfreier DSGVO Workshop “Was & Wie” am 23.02.2018 — Interne und externe Dienstleister
4. Termin: Interne und externe Dienstleister gemäß DSGVO Artikel 28 Zur Vorbereitung auf die Datenschutz-Grundverordnung bietet SEC4YOU eine Veranstaltungsreihe an, die das Was und Wie in den Vordergrund […]