Obligation since the GDPR was applied
But this is exactly the case: all processing operations must be listed in the processing directory, i.e. where and how customer data is stored, what customer data is stored, how long it is stored, who has access to this data and many things Further. A good overview of the processing directory can be found here.
The processing list is regulated in Article 30 GDPR:
Each controller and, where appropriate, his representative shall keep a list of all processing activities which are within its competence. Unfortunately, this now affects more companies/managers than you first think.
The obligations […] do not apply to undertakings or entities employing fewer than 250 people, unless […] the processing is not only carried out occasionally […].
Even if the “occasionally” is not defined, this is likely to affect anyone who processes customer data because you have logged-in users, because you sell products or services to users, offer virtual items, etc.
As data protection authorities are already very active, an audit will ensure that such a directory has been created. This is, of course, all the more true if you are responsible for a data protection incident. The first impression would be catastrophic if you did not create a directory and thus clearly show that one has only given very limited thought to data protection in the company/as a provider.
A processing directory sounds at first similar to a data protection declaration, but is not something that is made publicly available on the homepage etc. Rather, it is a representation of what data protection processes take place and of course concerns the own website, the webshop, but also the transfer of data to the tax advisor, debt collection, dealing with payment providers and all other aspects. Also affected are own employees, moderators, etc., whose salaries you and social security data are stored, for example. For agencies, etc., this would also be classic data that is stored in a CRM system, pitches, offers, applications and all other aspects with personal data.
Contents of the processing directory
What needs to be included in the processing directory? Now at least the purposes of the processing, a description of the categories of data subjects and the categories of personal data, the categories of recipients to whom the personal data have been disclosed or are still being disclosed. Of course, particular attention must be paid to transfers to third countries. In addition, there are the legal bases for storage, the time limits for the deletion of the various categories of data and, if possible, a general description of the technical and organisational measures in accordance with Article 32 (1) GDPR, since the Data security is another issue that is often ignored, but which is very important for data protection authorities.
The fewest processing directories will be perfect, but the effort of having managed one alone is likely to reward many data protection officers in the possible investigation of fines. It also serves, of course, to become aware of the events and, therefore, it is also possible to carry out duties such as the obligation to explain the processing purposes in accordance with Article 5(5) of the 1 lit. (b) GDPR, proof of the legality of the processing is in accordance with Article 5(3) 1 lit. a) GDPR, proof of data minimisation under Article 5(3) 1 lit. c) GDPR, proof of the correctness and timeliness of the data in accordance with Art. 1 lit. d) COMPLY with GDPR and numerous other obligations.
Electronically, of course:_)
By the way, the processing directory can of course also be kept in an electronic format. So no one has to pull pens and paper.
Do you have any questions? Contact me.