Intro: What is meant by creating records of processing activities, what function does it have and what must be taken into account when implementing it?
To-Dos: What is the specific procedure for fulfilling the obligation to prepare and related obligations?
Statements: What have the data protection supervisory authorities published on the subject of creating records of processing activities?
The obligation to document processing activities is intended to encourage the company to become aware of its own data processing activities. Furthermore, the records are the first touch point for data protection authorities who want to inspect the legality of the companies handling of personal data.
A very important question is first of all what is meant by data processing from a legal perspective. When defining data processing, including the differentiation from other data processing, the purpose is then decisive: What is the purpose of the respective processing? In contrast, the type and manner of processing is not decisive. Nor should a distinction be made between individual processing steps, but rather between the overriding purpose.
Both so-called controllers (the ones who define purposes and means of a processing activity) as well as so-called processors (the ones who act as service providers and act based on instructions from the controllers) have to draft records of processing activities, although the scope of documentation items is much broader for controllers. Processors must support controllers with the fulfillment of the controller’s extended documentation duties.
The law does not detail the method by which processing activities have to be drafted. Hence, it is up to the company look for a suitable documentation mean.
While documentation using a data protection management system is a good idea in larger companies, it is sufficient to use an Excel or Wod template in companies with few data processing operations.
Process for documentation of processing activities. The process should at least inform about (1) who is responsible for the documentation, (2) by which means the documentation should take place and (3) in which way data processing activities are to be documented. This might be accomplished by a documentation directive.
Definition of individual processing activities in the company. Differentiation based on the purpose of processing
Documentation of processing activities. The documentation should be realized either by manual or technical means such as a data protection management system.
>> Find out which other data protection obligations have to be considered with respect to European data protection law.
familiar with the characteristics of small and large companies
experienced in communicating with data protection authorities
active in data protection for over 10 years.
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
