The processing directory is a central element in an organization’s data protection management. It serves as proof that the organization complies with the General Data Protection Regulation (GDPR) and is thus an indispensable tool for documenting data processing procedures.

What is a processing directory?

A processing directory is a document or collection of documents that records all personal data processing activities within an organization. It serves as an inventory for data processing and helps to document and prove compliance with data protection requirements.

Legal basis

The obligation to maintain a processing directory arises from Article 30 of the General Data Protection Regulation (GDPR). This Article obliges both the controller and the processor to keep a register of all processing activities under their responsibility.

Contents of the processing directory

According to Article 30 GDPR, the processing directory must contain the following information:

• The name and contact details of the responsible person and, if applicable, the jointly responsible person, the representative of the responsible person and the data protection officer.
• The purposes of processing.
• A description of the categories of data subjects and categories of personal data.
• The categories of recipients to whom the personal data have been or will be disclosed.
• Planned deadlines for the deletion of the various categories of data.
• A general description of the technical and organizational measures to ensure data security.

Significance for data protection

The processing directory is a key tool for implementing the accountability obligation under Article 5(2) GDPR. It enables data protection supervisory authorities to effectively verify compliance with the GDPR and serves as a basis for the data protection impact assessment under Article 35 GDPR.

Creation and update

The creation of a processing directory requires a careful analysis of all data processing operations within the organization. It is important to involve all relevant departments and ensure that the inventory is complete and accurate.

The processing directory is not a static document. It must be updated regularly, especially when processing activities change.

Exceptions

Small companies with fewer than 250 employees are exempt from the obligation to maintain a processing directory under certain circumstances. However, this exception shall not apply where the processing presents a risk to the rights and freedoms of data subjects, the processing is not occasional or involves the processing of special categories of data pursuant to Article 9 of the GDPR or personal data relating to criminal convictions and offences pursuant to Article 10 of the GDPR.

Best Practices

• Structuring: Structure the processing directory clearly and concisely. It may be helpful to break down processing activities by department or process.
• Documentation: Document not only the processing activities currently carried out, but also planned processing operations to ensure that the directory is always up to date.
• Communication: Ensure that all employees involved in the processing of personal data are aware of the processing directory and know how to report changes.
• Technical and organizational measures: In the processing directory, also describe the technical and organizational measures taken to secure the data.

Conclusion

Keeping a processing register is a key requirement of the GDPR and an important step in ensuring data protection in an organization. By carefully documenting all processing activities of personal data, the directory helps to create transparency and to prove compliance with data protection requirements.