GDPR (EU General Data Protection Regulation)
Information on the creation of records of processing activities pursuant to Art. 30(1) GDPR
A list of the processing activities pursuant to Art. 30(1) GDPR must cover all of the information listed in Art. 30(1) Sentence 2 lit (a-g) GDPR as final information for the whole company. This information must give a meaningful description of the processing activities of the person responsible.
The preparation of records of processing activities does not in any way fulfill all the documentation requirements stipulated by the GDPR.
The list is only one building block in order to comply with the standardized accountability in Art. 5(2) GDPR. For example, the Conditions for consent (Art. 7(1) GDPR), the Responsibility of the controller (Art. 24(1) GDPR) and the result of Data protection impact assessments (Art. 35(7) GDPR) must be carried out so that the appropriate documentation can be verified.
Requested information that asks a person about the processing of personal data is about:
- the purpose and legal basis of the collection, processing or use of personal data
- the categories (e.g. debtors, health data, credit data) of personal data being processed
- the deadlines for the deletion of personal data or for the examination of the deletion as well as
- the origin of the personal data (e.g. telephone directory, business card), insofar as these were not collected from the data subject (e.g. registration form, profile page)
The rectification of personal data is about a change that a person can request, for example: when changing address, telephone number or family name. Central management of all personal data can reduce the maintenance effort. The EDP should be able to take over the changes and not carry out duplicate data storage.
A person may arrange for the deletion of their personal data. This has the consequence that all references to the person, for example, in all EDP computerized systems must be removed, unless they are required by other regulations, e.g. for accounting purposes. A pseudonymization makes it possible to avoid any kind of inference to a person, now or in the future, which is comparable to a deletion.
A person may restrict the use of their personal information, for example, to prevent the sending of advertising e-mails. All EDP systems should therefore be able to use the same database to effectively implement restrictions across all EDP systems.
For systems that you operate on-site, you also incur the obligation to document how personal data is processed. Here we can support you with additional information about our software products (as a download), so that you can complete this information for your processing activity directory. Optionally, you can also access our Professional Service Consulting offer for the GDPR.
If you use our hybrid cloud building blocks, such as ProCall Web Communication Services or ProCall Mobility Services, you have already received the contract documents containing information about your personal data processing activity. Of course, you will also find these on our product page.