Article 30 GDPR: What are the requirements?

Article 30 GDPR
Categories:

Creating a list of processing activities

Companies use various metrics to analyze their performance in areas such as marketing, sales, customer success, human resources, finance or IT. Creating a record of processing activities can streamline and connect all of these efforts. All companies are expected to provide information in their privacy policy about the purposes for which they process the personal data of their customers and other data subjects. The record of processing activities provides an excellent overview of the activities of individual departments, the processes of your company and the handling of personal data.

Article 30 obliges every company that acts as a data controller within the scope of the GDPR to keep a "record of processing activities" (RPA) in written (also: electronic) form. The RPA provides a comprehensive overview of the processing of personal data in the company. Processors must also keep a record of the processes they carry out on behalf of their clients. The VVT shows the how and why of data processing. The DPA must be submitted to the supervisory authority upon request.

 

Article 30 GDPR: What exactly is a "processing activity"?

The term "processing activity" is insufficiently defined in the GDPR. As a result, it can be unclear what is subject to documentation and to what level of detail. In general, the GDPR requires the individual process steps in which personal data of employees, customers or other data subjects are processed to be documented. The same applies to the legal basis and purposes of any data processing.

Article 30 GDPR: The record of processing activities  

Article 30 GDPR defines the content of the record of processing activities. In addition to the name and contact details of the company and the data protection officer, if any, the following information must be documented for each processing of personal data:

  • Purpose of processing - Why and for what purpose do you use personal data?
  • Categories of data subjects - employees, customers, etc.
  • Categories of personal data - contact, financial, health data, etc.
  • Categories of recipients - To whom is the data disclosed?
  • Information about recipients outside the EU/EEA
  • Deletion periods
  • Description of the technical and organizational security measures / protective measures

You need a legal basis for all data processing. It is absolutely helpful to record this in your DPA. In the case of data processing based on Article 6(1)(f) GDPR, you must also document the respective legitimate interests pursued by the controller or a third party.  

Article 30 GDPR: Examples of processing activities

Examples of the processing of employee data may include the following:

The use of special software or devices with which employee data is collected, processed or used (e.g. systems for e-recruiting, payroll accounting, time recording, digital personnel files, electronic access controls, video surveillance).

 

Article 30 GDPR: What impact does it have on my company?

Article 30 GDPR stipulates that all companies with more than 250 employees must keep a record of processing activities. It must be submitted to the supervisory authority for review upon request.  

Before a company starts to create a DPA, it must first analyze which categories of personal data it processes, where the data is stored and how the data flows inside and outside the company. This also forms the basis for compliance with other requirements of the GDPR, such as Article 6 (establishing a legal basis for processing), Article 7 (conditions and requirements for obtaining consent) and Article 13 (information obligations).

 

Article 30 GDPR: Are there templates for a VVT?

There are many templates for a VVT available online. Specialized software such as 2B Advice PrIME contains catalogs or templates to help you fulfill the documentation requirement by creating easy-to-answer online surveys that can be forwarded to the relevant specialist managers.

For example, a VVT questionnaire could ask these questions:

- Why do you process personal data?

- Whose data do you process?

- What types or categories of data do you process?

- How long do you store the data / when do you delete this data?

- What measures do you take to protect this data?

- With which third parties or providers do you share this data?

These questions should be answered by every internal department and business unit that processes employee or customer data.

 

Checklist Article 30 GDPR: How to master the challenge

Before a company can begin to create a DPA, it must first analyze which categories of personal data it processes, where the data is stored and how the data flows inside and outside the company. This also forms the basis for compliance with other requirements of the GDPR, such as Article 6 (establishing a legal basis for processing), Article 7 (conditions and requirements for obtaining consent) and Article 13 (information obligations).

1. develop a standard questionnaire for the data protection impact assessment

2. define uniform guidelines and procedures for important requirements such as deletion obligations or technical and organizational measures

3. set risk thresholds to identify areas for improvement

4. check whether all data processing has a valid legal basis

5. update your privacy policy accordingly

6. maintain the electronic VVT regularly

These are some of the first steps to put a company on the path to data protection compliance. Other factors can include service provider audits or conducting employee training to minimize the risk of a data breach.

Article 30 GDPR: What are the penalties for violations?

The supervisory authorities are authorized to impose significant fines on controllers or processors. Fines can be imposed for a variety of infringements, e.g. for non-compliance with Article 30 GDPR. In this case, fines of up to €10,000,000 or up to two percent of the previous year's global turnover, whichever is higher, may be imposed.

Can the new Californian CPRA regulation be compared with Article 30 GDPR?

One of the CPRA's most far-reaching provisions, 1798.185(a)(15), is similar to Article 30 of the GDPR in that it requires businesses to conduct annual cybersecurity audits and "periodic" risk assessments if the business' "processing of consumers' personal information poses a significant risk to the privacy or security of consumers." In determining whether the processing poses "a significant risk", the CPRA identifies two factors to consider. Firstly, the size and complexity of the business; secondly, the nature and scope of the processing activities.

The main difference is that the CPRA also requires a company to regularly submit a risk assessment to the California Privacy Protection Agency (CPPA) in relation to its processing of personal data.

Final thoughts: What should you do next regarding Article 30 GDPR?

If you are based in Europe, expanding into Europe, acquiring a business in Europe or merging with a business in Europe and you want to move from creating and maintaining your DPA from Excel or other templates to an integrated, data protection compliant management system, 2B Advice can support you. Our robust 2B Advice PrIME software was developed in Germany, at the heart of data protection culture. 2B Advice PrIME has been designed to meet the strictest requirements of the GDPR and European supervisory authorities.

Arrange a consultation today.

Sources:
ico.org.uk
iapp.org
leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.185.

Tags:
Share this post :
en_USEnglish