Article 30 GDPR: What are the requirements?

Article 30 GDPR
Categories:

Creating a list of processing activities

Companies use various key figures to measure their development in areas such as Marketingsales, customer success, human resources, finance or IT. The creation of a List of processing activities can rationalize and combine all these efforts. All companies are expected to provide information in their privacy policy about the purposes for which they personal data of your customers and other data subjects. The register of processing activities provides an excellent overview of the activities of individual departments, the processes of your company and the handling of personal data.

Article 30 obliges every company that acts as a data controller within the scope of the GDPR is active, a "List of processing activities" (VVT) in written (also: electronic) form. The VVT provides a comprehensive overview of the Processing of personal data in the company. Processors must also keep a DPIA of the processes they carry out on behalf of their clients. The VVT shows the how and why of data processing. The VVT must be Supervisory authority be presented upon request.

 

Article 30 GDPR: What exactly is a "processing activity"?

The term "processing activity" is used in the GDPR only insufficiently defined. It can therefore be unclear what is subject to documentation and to what level of detail. In general, the GDPR the requirement to document the individual process steps in which personal data of employees, customers or other data subjects are processed. The same applies to the legal basis and purposes of any data processing.

Article 30 GDPR: The record of processing activities

Article 30 GDPR defines the content of the record of processing activities. In addition to the name and contact details of the company and the data protection officer, if any, the following information must be provided for each processing activity Processing personal data are documented:

  • Purpose of the Processing - Why and for what purpose do you use personal data?
  • Categories of data subjects - employees, customers, etc.
  • Categories of personal data - contact, financial, Health data etc.
  • Categories of recipients - To whom is the data disclosed?
  • Information about recipients outside the EU/EEA
  • Deletion periods
  • Description of the technical and organizational security measures / protective measures

You need a legal basis for all data processing. It is absolutely helpful to record this in your DPA. In the case of data processing based on Article 6(1)(f) GDPR you must also document the respective legitimate interests pursued by the controller or a third party.  

Article 30 GDPR: Examples of processing activities

Examples of the Processing of employee data can be the following:

The use of special software or devices with which employee data is collected, processed or used (e.g. systems for e-recruiting, payroll accounting, time recording, digital Personnel fileelectronic access controls, Video surveillance).

 

Article 30 GDPR: What impact does it have on my company?

Article 30 GDPR stipulates that all companies with more than 250 employees must have a List of processing activities must be kept. It must be presented to the supervisor for inspection upon request.

Before a company starts to create a DPA, it must first analyze which categories of personal data it processes, where the data is stored and how the data flows inside and outside the company. This also forms the basis for compliance with other requirements of the GDPRsuch as Article 6 (establishment of a legal basis for the Processing), Article 7 (Conditions and requirements for obtaining a Consent) and Article 13 (Duty to inform).

 

Article 30 GDPR: Are there templates for a VVT?

There are many templates for a VVT available online. Specialized software such as 2B Advice PrIME contains catalogs or templates to help you fulfill the documentation requirement by creating easy-to-answer online surveys that can be forwarded to the relevant specialist managers.

For example, a VVT questionnaire could ask these questions:

- Why do you process personal data?

- Whose data do you process?

- What types or categories of data do you process?

- How long do you store the data / when do you delete this data?

- What measures do you take to protect this data?

- With which third parties or providers do you share this data?

These questions should be answered by every internal department and business unit that processes employee or customer data.

 

Checklist Article 30 GDPR: How to master the challenge

Before a company can begin to create a DPA, it must first analyze which categories of personal data it processes, where the data is stored and how the data flows inside and outside the company. This also forms the basis for compliance with other requirements of the GDPRsuch as Article 6 (establishment of a legal basis for the Processing), Article 7 (Conditions and requirements for obtaining a Consent) and Article 13 (Duty to inform).

1. develop a standard questionnaire for the Data protection impact assessment

2. define standardized guidelines and procedures for important requirements such as deletion obligations or Technical and organizational measures firm

3. set risk thresholds to identify areas for improvement

4. check whether all data processing has a valid legal basis

5. update your privacy policy accordingly

6. maintain the electronic VVT regularly

These are some of the first steps to put a company on the path to data protection compliance. Other factors can be service provider audits or the implementation of employee training to minimize the risk of a data breach. Data breach to minimize.

Article 30 GDPR: What are the penalties for violations?

The supervisory authorities are authorized to impose substantial fines on those responsible for the Processing to impose fines on controllers or processors. Fines can be imposed for a variety of infringements, e.g. for non-compliance with Article 30 GDPR. In this case, fines of up to €10,000,000 or up to two percent of the previous year's global turnover, whichever is higher, may be imposed.

Can the new Californian CPRA regulation be compared with Article 30 GDPR?

One of the most far-reaching provisions of the CPRA, 1798.185(a)(15), is similar to Article 30 GDPR in that it requires companies to conduct annual cybersecurity audits and "regular" risk assessments if the "Processing personal data of consumers by the company poses a significant risk to the privacy of consumers. Privacy or consumer safety". When determining whether the Processing "a significant risk", the CPRA identifies two factors that need to be considered. Firstly, the size and complexity of the business; secondly, the nature and scope of the processing activities.

The main difference is that the CPRA also requires a company to submit a regular risk assessment to the California Privacy Protection Agency (CPPA) regarding its Processing of personal data.

Final thoughts: What should you do next regarding Article 30 GDPR?

If you are based in Europe, expanding into Europe, acquiring a business in Europe or merging with a business in Europe and you want to move from creating and maintaining your DPA from Excel or other templates to an integrated, data protection compliant management system, 2B Advice can support you. Our robust 2B Advice PrIME software was developed in Germany, at the heart of data protection culture. 2B Advice PrIME has been designed to meet the most stringent requirements of the GDPR and the European supervisory authorities.

Arrange a consultation today.

Sources:
ico.org.uk
iapp.org
leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.185.

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts