Since the General Data Protection Regulation (GDPR) introduction in 2018, companies have had to adapt to many innovations in data protection. That includes the introduction of a register of processing activities (ROPA). It is one of the most important documents a company must create to comply with data protection requirements and meet the accountability obligation from Article 5 of the GDPR.
The GDPR requires companies to maintain written documentation and an overview of all automated or manual processes involving personal data processing (Art. 30 GDPR). But what is behind this, and who must keep such a directory? To what do you have to pay attention? We will show you what a register of processing activities must look like and provide helpful tips for a GDPR-compliant implementation!
Do you need support or have questions about the topic of a processing directory? Our team consisting of experts in data protection law, IT, and security, will be happy to support you in implementing data protection regulations. Contact us directly for a no-obligation initial consultation.
Art. 30 GDPR obliges to keep written (also in electronic format) documentation and overviews of all processes that work with personal data. That means that every processing of sensitive data must be listed and itemized in this register.
In addition, essential details of the data processing must be documented there, such as processing categories, the data subjects, the purpose of the processing, and the categories of recipients.
This processing register also serves for inspection by the competent supervisory authority. The relevant processing operations must be made available to it upon request. For companies, it makes sense to create and maintain such a register with great care to demonstrate that good data protection management is in place.
Otherwise, there is always a risk that conflicts will arise with the supervisory authority, or the company will even be prosecuted for violating the data protection guidelines.
Every company that employs more than 250 people must maintain such a register. In addition, there are the following exceptions that also oblige companies with less than 250 employees to keep a processing directory:
Good to know: Almost always, one of these exceptions applies. If only because most companies keep a personnel file in which very personal data of employees is stored, modified, or deleted regularly. As a result, almost every company must maintain such a register.
If the supervisory authority cannot be provided with a ROPA upon request because the company does not maintain one, it will first ask why. In case of doubt, the company will have a different opinion on whether it falls within the obligation to retain a register. The consequence, in some cases, is a costly and lengthy legal dispute.
In most cases, the authority will require the company to maintain a processing register. In the event of a violation of this requirement or if it is evident that a register had to be kept, not inconsiderable fines are threatened, but criminal convictions are also possible. These are measured by the turnover of the respective company and should not be underestimated.
Sometimes, the authority allows companies to submit a register of processing activities within usually 2-3 weeks.
Good to know: You should never rely on the goodwill of authorities with your company. It is, therefore, advisable to avoid a dispute and create a ROPA immediately.
Such a register of processing activities is not public, so there is no threat of disclosure through the transmission of company and trade secrets. The directory is not accessible to everyone. Even data subjects, which in principle have the right to request information about the use of their data, do not have access to this record. It does not have to be made accessible to them either.
Only the data protection officers, who are also involved in drawing up the list of processing activities and the company’s executive board and management, are allowed to inspect it. In addition, as already mentioned, the competent supervisory authority must be provided with the register of processing activities upon request.
Almost all companies must maintain a register of processing activities, as prescribed by the legislator in the GDPR. This directory is not new; already, in the previously applicable federal regulation – the Federal Data Protection Act (BDSG) – a procedure directory was required.
The new register with some changes replaces the previous procedure directory. The term processing activities, according to Art. 30 GDPR is to be understood broadly: It includes any use, such as collecting, storing, deleting, modifying, merging, reading out, comparing, or also passing on personal data. All processes in which personal data play a role must therefore be mentioned and listed in the processing register.
In such a register, different details must be provided, such as the categories of processing, the contact details of the data controller and the data protection officer, the group of data subjects, the purpose of the processing, and the respective recipients of the data (insofar as they are not processed internally).
Ideally, information on the technical and organizational measures (TOM) is also included. Furthermore, the deletion periods should also be added to clarify the whole thing and comply with the legal retention periods.
Such a register ensures that it is recorded which processing activities exist in a company. That is important for the supervisory authorities in their inspections and provides information within the company about which processes are carried out. It gives a better overview of where which processing operations are taking place and whether they can be optimized or, in case of doubt, even reduced to counter significant risks of data protection mishaps.
If the exact data processing structures are evident, good data protection management can be based on this. Carefully compiled, such a register only means additional effort in the short term. In the long run, it makes it easier for companies to comply with data protection and reduces risks.
In principle, companies have a free hand in creating a register of processing activities. The GDPR does not provide a specific format or a template. One also looks in vain for a corresponding form.
Nevertheless, there are some requirements as to what should include such a register:
Beyond the rough structure, some content requirements must be observed. These relate primarily to the main part of the directory, in which the individual processes are set out.
Each processing activity must be described in detail based on the following criteria:
Tip: With the Priverion Data Protection Platform, you can create a legally compliant Register of Processing Activities clearly and uncomplicated. This documents all processes in your company that use personal data. It summarizes all the necessary legal information and provides an up-to-date overview at all times, for example, the purpose of the processing, its legal basis, the persons involved, the persons responsible, and all the necessary information to prove compliance with data protection laws. The intelligent link between deletion and retention periods and our system landscape lets you know at any time which deletion and retention periods apply to each system (on-site and in the cloud).
It is important to note that, in principle, the management is responsible for creating the register. The data protection officer advises and supports the company or the management in all matters relating to data protection. That also includes the creation and management of the Register of Processing Activities.
First, the data protection officer should get a picture of all the company’s processes and gain an overview. The GDPR gives him the authority to do this. To record every process involving personal data, the DPO can contact the individual departments and have them explain how they handle personal data.
In doing so, data protection officers should ask for the following indications:
In addition, the data protection officer can ask the individual departments for active support in gathering and preparing information about the processes. It is not necessary to ask each employee individually; instead, it is sufficient if the departments internally prepare a summary of the activities and persons responsible and forward this to the data protection officer so that he can enter the collected information into the processing directory.
The aim of this information collection must be to obtain a detailed overview of the processing of special personal data in the company and to ensure the completeness of the ROPA.
To this end, it may also be helpful to seek the support of an external consultant and confer with them when drawing up a Register of Processing Activities. Our consultants, who specialize and have experience in this area, know what questions to ask, scrutinize existing processes, and are aware of problems that might otherwise go unnoticed.
Good to know: When you choose an external consultant, they are already onboarded and appropriately qualified. An objective and well-trained eye can make a difference when creating a Register of Processing Activities and reviewing data protection in the company.
Creating a Register of Processing Activities is time-consuming; a document length of 100 pages is not uncommon. The Priverion platform simplifies the creation and management. Once created, this document provides essential insights into data protection. In addition, many documents that will become part of a Register of Processing Activities already exist and just need to be inserted.
During the creation process, some errors and risks usually come to light that might never have been noticed. It is, therefore, an opportunity to scrutinize, check and, if necessary, properly “declutter” the company’s processing activities.
It allows processes to be optimized and brought up to date. In addition, companies subsequently know precisely which data is processed in their company and which is perhaps superfluous. In this way, the entire system can become more efficient.
So, in addition to fulfilling the legal obligation to maintain such a record, it offers many opportunities and possibilities. Lastly, companies develop a sensitivity for their processes and optimization possibilities in handling personal data.