Due to the great demand of our customers and interested parties on the topic of GDPR and Directory of Procedures, SEC4YOU offered a GDPR workshop in November 2017, which specifically highlights the implementation of GDPR measures and offers affected companies the opportunity to start directly at the workshop with the measures or to support their own project with templates and decision bases.
The workshop was aimed at public and private companies from all sectors that process or store personal data. Contrary to the widespread opinion that the GDPR only applies to large companies, this question was answered conclusively by workshop leader Manfred Scholz as well as by two lawyers present:
The GDPR affects all companies that process personal data — regardless of company size and legal form — as of 25.5.2018!
After explaining the history of the GDPR and the position of Austria in the European vote, the participants agreed on the essential components of the GDPR implementation. As an important task within the GDPR measures, the new requirement of keeping a register of processing activities in Austria was discussed.
Directory of processing activities by means of software?
Contrary to the opinion of individual providers, a software tool for maintaining the directory of processing activities should not be in the foreground of a GDPR project, as the initial creation can usually be done in Excel or Word for small and medium-sized companies. In large companies, or if the maintenance effort for keeping and regularly checking or revising the directory is to be done by several employees or in distributed companies, the introduction of a special tool can also save costs.
The Directory of Processing Activities — DSGVO VV
As has been customary in German data protection for over 10 years as a “procedural directory” or “procedural overview”, the GDPR now also requires companies to maintain a directory of processing activities. Experts see a difference here to the DSG 2000 where in Austria a basic obligation to report certain data applications in the data protection register is required (until May 2018) or was required (from May 2018).
An important feature of a procedure directory is that the data-processing company processes are recorded and not the applications themselves.
=> What therefore does not belong in a directory of processing activities? e.g. MS CRM, Excel or Exchange.
The important contents of the directory of processing activities have been summarized.
In the role of the controller must be recorded:
- Name and contact details of the controller, if applicable joint controller or a representative (EU).
- Name and contact details of the data protection officer
- Purpose of the processing
- Categories of data subjects
- Categories of personal data
- Categories of recipients
- Transfer to third countries (guarantees, if applicable)
- Deletion periods
- General description of technical and organizational measures (TOM according to Art 32 para.1).
On the other hand, processors have the following recording obligations:
- Name and contact details of the data controller, joint data controller or representative (EU), if applicable.
- Name and contact details of the data protection officer
- Categories of processing
- Transfer to third countries (guarantees, if applicable)
- General description of technical and organizational measures (TOM according to Art 32 para.1)
In the last part of the workshop, exemplary examples were presented how a directory of procedures looks like and the SEC4YOU template V1.1 of the directory of processing activities was presented.
Contents of the workshop
This is the recording of the workshop contents without sound.
Further articles on the topic of data protection / DSGVO
Basic Data Protection Regulation (GDPR) Audit Approaches and Impacts on Internal Audit Activities
From January 21 to 22, 2019, a training course on the topic of the General Data Protection Regulation (GDPR) Audit Approaches and Impacts on Internal Audit Activities will be […]
free GDPR workshop “What & How” on 25.04.2018 — audit approaches to prove accountability
Date 6: Audit approaches to demonstrate accountability. In preparation for the General Data Protection Regulation, SEC4YOU is offering a series of events that focus on the what and […]
free GDPR workshop “What & How” on 21.03.2018 — Risk analysis as a preliminary step to data protection impact assessment
Date 5: Risk analysis as a preliminary step to data protection impact assessment. In preparation for the General Data Protection Regulation, SEC4YOU offers a series of events that […]
free data protection awareness training contents
More and more often we are asked how to train data protection and the requirements of the GDPR. For internal data protection officers (DPOs) or, if you don’t […]
GDPR “What and How” Workshop — SEC4YOU Presentations as Review
The inventory of processing activities according to Article 30 (without sound). Video presentation of our GDPR workshop in Vienna on November 7, 2017. This video is the presentation […]
free GDPR workshop “What & How” on 23.02.2018 — Internal and external service providers
4. appointment: Internal and external service providers according to DSGVO Article 28. In preparation for the General Data Protection Regulation, SEC4YOU offers a series of events focusing on […]