A Processing directory (also List of processing activities, VVT) serves as proof of data protection compliance and the Transparency: Based on the directory, a Supervisory authority quickly recognize whether a company is working in compliance with data protection regulations. In the following, we provide practical answers to the most important questions about Processing directory.
What is a Processing directory?
A Processing directory is a written overview of all processes in a company in which personal data are processed. In accordance with Article 30 GDPR it contains essential information on all data processing, such as purpose, categories of data subjects and data, recipients, etc. and must be submitted in full to the data protection supervisory authority upon request.
Who needs a Processing directory?
In principle, every company or each responsible Place that personal data processed, a Processing directory as well as every processor (service provider). The GDPR applies to all controllers and processors in the EU (or with EU-related data processing), regardless of sector or size. Even sole proprietorships or associations must keep a VVT if they do not only process data occasionally. personal data process, which is almost always the case these days.
Exceptions: The GDPR provides for some narrow exceptions for companies with fewer than 250 employees in Art. 30 para. 5. None Processing directory is required as an exception, if all conditions are met:
- Occasional Processing: Data processing only takes place occasionally, i.e. not regularly in day-to-day business (a criterion that hardly applies in practice, as even small companies regularly process customer data, employee data or website data).
- No risk for Affected parties: The Processing does not pose a risk to the rights and freedoms of data subjects (difficult to guarantee in practice).
- No sensitive data: No special categories of personal data pursuant to Art. 9 (1) GDPR are processed. GDPR (e.g. Health data) and no data on criminal convictions pursuant to Art. 10 GDPR processed.
Attention: This exception rule applies as good as never. After all, even maintaining a customer file, an employee list, a website with a contact form or payroll accounting means regular Processing personal data. In practice, therefore also small companies a Processing directory especially as it is a central requirement of the GDPR accountability obligation. The supervisory authorities regard the VVT as Review focus: If it is missing or incomplete, there is a risk of serious consequences.
When must a Processing directory be created?
The obligation to prepare the report exists as soon as a company begins, personal data to process. With the entry into force of the GDPR On May 25, 2018, the Processing directory for responsible jobs are mandatory. In practical terms, this means A corresponding entry should be made in the VVT before starting or at least at the same time as starting a new data processing operation. A company should therefore at the latest when starting his activity or introducing a new process (e.g. new CRM system, new employee administration) create the directory and from then on continuously manage and update.
The Documentation must Ongoing be maintained: Outdated entries must be removed and new processing operations added promptly. The directory should always be up to date, as the authority will not grant a long delay in the event of an audit. It expects that a current Processing directory is available at all times. Irrespective of the legal obligation, it is in the interest of every company to keep a VVT from the outset: It provides an overview of all data processing and proves GDPR compliance to supervisory authorities or in the event of complaints.
What are processing activities according to GDPR?
The term processing activity basically refers to any activity or process in the company that personal data includes. The GDPR defined "Processing" very broad: from the collection and storage to the deletion of data. This means that all processes that involve working with personal data count as data processing. For example, the recording of customer data, the maintenance of a supplier database, the keeping of employee files or the use of Video surveillance.
A processing activity within the meaning of the directory groups together all related processing operations for a specific purpose. This means that individual data processing steps are combined into one process, provided they serve the same purpose. For example, personnel administration as a whole can be documented as one processing activity (with the sub-processes recruitment, payroll, vacation administration, etc.), provided that these data all serve the purpose of personnel administration. In larger companies, more detailed subdivisions will be made, such as separate processing activities for applicant management, employee administration and payroll accounting. The decisive factor is the Processing purposeAll processes that serve a common purpose form a processing activity in the directory. In addition, there may be processing activities that the company as a processor for Third carries out. These must also be listed in their own VVT.
What does a Processing directory out?
For the Processing directory there is no strict formal requirement. For example, it can be kept as a table, Word document, Excel list or in a software program. It is important that all legally required mandatory information in accordance with Art. 30 GDPR are included and the list is comprehensible in itself. The Supervisory authority must be able to check the document without having to ask questions. A digital, searchable form is recommended for practical reasons.
What information must be included in the VVT?
Content the register must contain at least the following information for each processing activity:
- Name and contact details of the person responsible (Company) and, if applicable, the data protection officer. In the case of processors, the contractor and all clients (customers) must be named instead.
- Purpose of the Processing. What is the data processed for? (e.g. personnel administration, customer service, advertising mailings)
- Description of the categories of data subjects and personal data. In other words, which groups of people (customers, employees, suppliers, etc.) and which data categories (e.g. contact data, contract data, Health data etc.) are processed.
- Categories of recipients. Who receives the data? (Internally e.g. departments, externally e.g. tax consultants, IT service providers, authorities)
- Transfers to third countries. If data is transferred outside the EU, this must be indicated, including the corresponding guarantees under Chapter V GDPR (e.g. Standard contractual clauses for transfer to the USA).
- Deadlines envisaged for the Deletion. Where possible, retention periods or deletion periods for the data categories should be specified (e.g. application data is deleted 6 months after rejection, contract documents are archived for 10 years after the end of the year).
- General description of the technical and organizational measures (TOM) to protect the data. Here a Comprehensive presentation data security measures (e.g. access controls, access restrictions, Encryptiontraining, etc.), as detailed concepts may exist separately.
Practical tip: An example table or template for a Processing directory can be found on the websites of the Data protection conference or your state data protection officer. Alternatively we offer specialized tools such as Ailance RoPA structured masks for all mandatory information.
Link tip: Notes from the Data protection conference to the List of processing activities, Art. 30 GDPR
What is the difference between a processing directory and a procedure directory?
The terms are often used synonymously today. "Process directory" is an outdated term from the former Federal Data Protection Act (BDSG old) - before the validity of the GDPR companies had to keep a so-called public register of procedures. In terms of content, however, this meant largely the same thing: an overview of the data processing procedures at the responsible body. The difference therefore lies primarily in the legal context: Under the GDPR one speaks of the List of processing activities (§ Art. 30 GDPR) and it is used for internal accountability to the supervisory authority. In the past, the procedure directory was partly publicly accessible. According to the old legal situation responsible The data controller must make the information from the procedure directory available to anyone upon request. Today, this obligation to make information public no longer exists, but there is a stricter internal documentation obligation (fines may be imposed if this is breached). As a result, there are no difference in contentterminology only: The Processing directory corresponds to the former so-called procedure directory.
What are the penalties for missing Processing directory?
Keeping a processing register is a legal obligation. Companies that are unable to provide a list or keep an incomplete one risk substantial fines. According to Art. 83 para. 4 a GDPR can be a Infringement with up to €10 million or 2 % of global annual turnover be punished. It is true that supervisory authorities rarely make full use of this framework for small companies and take the interests of SMEs into account (recital 13). Nevertheless, there are already known cases in which severe penalties have been imposed. For example, in Italy in 2021, a Fine of 800,000 euros was imposed because a company did not provide any Processing directory and the data management was "chaotic". In Germany, too, there have already been warnings and threats of fines from state data protection authorities, particularly in the case of audits in the healthcare sector and online stores.
Apart from fines, without VVT there is also a higher risk of not having proof of exoneration in the event of data protection breaches. A cleanly managed Processing directory can serve as important evidence in an emergency to prove one's own identity to the supervisory authority or the courts. Compliance to occupy.
Create VVT digitally: On the safe side with Ailance ROPA
In practice, many companies start their VVT with Excel or Word templates. However, especially for growing requirements, the Use of specialized data protection software. One example is Ailance™ RoPA from 2B Advice: a software solution that enables the List of processing activities comfortable Create and maintain digitally lets.
With Ailance™ RoPA you automate the Processing directoryreduce manual effort and benefit from intelligent reporting. The software was developed by data protection experts and adapts flexibly to individual company requirements.
Here you can find out more about Ailance™ RoPA
Examples from practice: An external data protection officer looks after five medium-sized companies. Instead of managing five separate Excel lists, he maintains the VVTs in Ailance RoPA on a multi-client basis, is automatically notified of new processing activities and generates documentation for the supervisory authority at the touch of a button.
For data protection officers who look after several companies, Ailance RoPA also offers multi-client capability and collaboration functions to work efficiently with different departments or external partners on the VVT.
Example from practice: A globally active company in the automotive industry with production sites and supply chains in over 30 countries must comply with various legal requirements and regulations. The group now has over 1,000 users in more than 350 business units working with Ailance™ Ropa. Well over 10,000 processing operations are controlled automatically within the Group.
Conclusion: Whether a small start-up or a large corporation - the Processing directory is and remains the central instrument for Data protection and Transparency. With the basics and tools explained above (including professional tools such as Ailance RoPA), companies are on the safe side when it comes to List of processing activities GDPR-compliant, up-to-date and efficient. In this way, you not only fulfill the legal requirements, but also create internal Transparency about your data processing and strengthen the trust of customers and employees in data protection.
German 
English 
Italian 
French