The recods of processing activities is a documentation requirement of the EU General Data Protection Regulation (GDPR). Under Art. 30 GDPR, companies must draw up a list of all activities in which they process personal data (processing activities).
For the list of processing activities, the terms “Data Inventory” and “Data Mapping” are also used somewhat imprecisely.
Overview
- What is a processing activity?
- What are examples of processing activities in a record of processing activities (examples/templates) under Art. 30 GDPR?
- What information must be found in a record of processing activities according to Art. 30 GDPR (examples)?
- Where can I find examples, samples, templates and free Excel for the records of processing activities?
- What else is important to know about the records of processing activities (also: “Data Inventory” and “Data Mapping”)?
1. What is a Processing Activity?
The term "processing activity" is not defined in the GDPR. It is therefore often unclear what is to be documented in the records of processing activities and to what degree of detail.
A "processing activity" can be understood as a set of processing steps serving a single, overarching purpose, e.g. a specific business process or an IT tool.
Examples of processing activities are:
Use of special software or devices with which employee data is recorded, stored or evaluated (e.g. time recording system, digital personnel files, electronic access card system, video surveillance).
Standardised internal processes in which employee data are continuously or systematically collected, stored or used (e.g. handling of job applicant data, administration and processing of training measures, payroll accounting, e-mail newsletters for customers).
The question often arises as to the level of granularity of the processing activities to be documented in the records of processing activities (data inventory, data mapping):
To determine whether certain processing operations constitute one major processing activity or several minor processing activities, the following aspects may be taken into account:
Example: Should you have one processing activity "administration of appraisal interviews" or two processing activities "target agreement" and "measurement of target achievement"?
- A high granularity leads to a confusing number of processing activities and unnecessarily increases the administrative burden.
- A too coarse granularity (e.g. "personnel data management") no longer allows a meaningful review of data protection compliance.
- To determine an overarching purpose, an orientation to existing business processes or areas of responsibility is useful.
- The delimitation can also be based on the technical systems underlying the processing activity. However, not every IT system must be considered as a separate processing activity.
- If a processing activity would fall under the responsibility of several departments, a splitting up the activity may be appropriate.
- In purely pragmatic terms, a lower level of granularity in the definition of processing activities could be accepted for smaller companies.
Purely abstract processing with no specific purpose
Examples: general use of office software, general project organization
or only occasional processing operations
Examples: keeping participant lists of meetings
need not be treated as 'processing activities'.
2. What are Examples of Processing Activities in a Record of Processing Activities (Examples/Templates) under Art. 30 GDPR?
Typical processing activities in a company are shown below. The list is exemplary and not exhaustive and is only intended as a guide.
The granularity is more oriented towards small companies. In the case of medium-sized and larger enterprises, for example, a more detailed breakdown might be useful in the HR area.
HR
- Application management/Recruiting
- Personnel file management
- Payroll
- Time recording (coming/leaving times)
- HR development / employee appraisals
- Fleet management
- Travel expense management
IT
- E-mail service for employees
- Internet access for employees
- File server
- Intranet / employee directory
- Guest WLAN
Online
- Website operation
- Newsletter subscription management
- Tracking (analysis of website traffic)
- Social media accounts (e.g. Facebook page)
Customers
- Contract processing / sales / distribution
- CRM (customer database)
- Marketing (e.g. newsletter subscriber lists, opt-out lists)
General / Suppliers
- Accounts payable
- Accounts receivable
- Project Management
- Production (e.g. shift schedules)
- Audit
- Legal
- Compliance
Miscellaneous
- Video surveillance
3. What Information Must be Found in a Record of Processing Activities according to Art. 30 GDPR (Examples)?
The mandatory content of the record of processing activities is laid down in Art. 30 GDPR. In addition to the name and contact details of the company and of the data protection officer, if any, the following information must be provided for each individual processing activity:
- Purpose of the processing
- Data types processed
- Group of persons to whom the processed data relates (data subjects)
- Recipients
- Information on transfers to countries outside the EU/EEA
- Deletion periods
- Data security measures
In addition, the following organisational details can be added:
- Short description (title) of the processing activity
- Internally responsible department and person
- Date of record/last changes
If the company bases its data processing on the legal basis of the "balancing of interests" (Art. 6 para. 1 lit. f. GDPR), this should be noted in the records of processing activities, together with an indication of the specific interests pursued. This information is necessary to fulfil the information obligation of the GDPR.
Useful, although not required by law:
- Legal basis(s) according to Art. 6 GDPR on which the processing is based, in the case of "balancing of interests" additionally the legitimate interests (information is required for data protection notices according to Art. 13 para. 1 lit. c and d GDPR).
- Description of the IT system used to process the data
- Use of data processors
- If special categories of personal data according to Art. 9 GDPR is subject matter
- More detailed explanation of the data processing
- Works council agreements, regulating the data processing
The scope of the information on processing activities depends on the objective pursued with the records. If the aim is to meet the formal legal requirements as closely as possible, the mandatory information with a brief description is sufficient.
However, the records of processing activities is also a central component of a data protection management system in order to ensure compliance with data protection law. Based on the records of processing activities, for example, the individual processing operations can be checked for their compliance with the GDPR and necessary improvements can be identified. However, this often requires documentation of the processing activities that goes beyond the mandatory information. In addition, a more detailed record of processing activities helps the company to comply with the so-called accountability principle. According to the accountability principle, the company must also be able to prove compliance with the GDPR. The data processing records is also an important tool when drafting data protection information/notices/policies (e.g. for employees or applicants) and when handling data access requests of data subjects.
Since the records of processing activities must be provided upon request to a supervisory authority, it should be ensured that in this case only the mandatory data can be extracted.
To avoid repetition, it is advisable to put certain pieces of information separately and to refer to them in the individual processing activities, provided that no particularities arise in the specific procedure. This method of pre-clamp drawing is particularly useful with regard to deletion periods, data security measures and, if applicable, data recipients.
The description in the records of processing activities can usually be brief and, where appropriate, even in bullet point form, but must be complete and self-explanatory. The more the data processing may affect the interests of the data subjects, the more precise the description must be. Criteria for this are, for example, the sensitivity of the data, the scope of the data, the number of data subjects, the nature and the type of processing.
Sometimes the records of processing activities are mixed with checklists to assess the GDPR compliance of the data processing. I personally recommend to clearly separate the records of data processing activities (pure documentation) and the review of the data processing activities.
4. Where can I find Examples, Samples, Templates and Free Excel for the Records of Processing Activities?
Information on the records of processing activities pursuant to Art. 30 GDPR from the German data protection supervisory authorities (Datenschutzkonferenz - DSK): https://www.lda.bayern.de/media/dsk_hinweise_vov.pdf
Practical help from the Society for Data Protection and Data Security (GDD) for the records of processing activities: https://www.gdd.de/downloads/praxishilfen/GDD-Praxishilfe_DS-GVO_5.pdf
Explanations of the data processing records from Bitkom e.V. (German Association for Information Technology, Telecommunications and New Media) including tips on how to draft it: https://www.bitkom.org/sites/default/files/file/import/180529-LF-Verarbeitungsverzeichnis-online.pdf
Very basic examples and templates for records of processing activities for small businesses from the Bavarian data protection authority (for associations, car repair shop, craft business, medical practice, online shop, accommodation business): https://www.lda.bayern.de/de/kleine-unternehmen.html
5. What Else is Important to Know about the Records of Processing Activities (also: “Data Inventory” and “Data Mapping”)?
- The records of processing activities is often perceived as an annoying documentation requirement, but it is a central component for ensuring data protection compliance in a company.
- The maintenance of the records of processing activities is the responsibility of the company, not the data protection officer (DPO). However, the task may be delegated to the DPO if the latter agrees. Prior to the GDPR this was controversial, but now the possibility of delegation is recognised by supervisory authorities.
- The assumption that companies with fewer than 250 employees do not have to carry on records of processing activities is mistaken, since a withdrawal exception under Art. 30 para. 5 GDPR usually applies.
- The effort required for the initial establishment of the records of processing activities should not be underestimated. The subsequent maintenance also ties up resources. Especially in medium-sized and larger companies, this requires clear processes and the involvement of all departments involved in the processing of personal data.
- There are various vendors of software tools for managing records of processing activities. In many cases, however, Excel files or a small Sharepoint solutions are sufficient. Software tools often bring along many other not necessarily wanted functions, cost money and lead to lock-in effects. The use of tools should therefore be carefully considered, especially in small and medium-sized companies. A great article about this: "Ten tips to avoid wasting thousands on privacy tools you don't need and ensure you get the ones you do need".
- The records of processing activities must be made available to supervisory authorities upon request.