Therefore you need a processing directory
Before the GDPR came into force, the processing directory was called “Lever List”. Only larger companies were obliged to lead this. Today the situation is different. According to Art. 30 GDPR, every company that collects, stores, redirects or processes personal data is obliged to keep a processing directory.
It is a legal requirement that should definitely be fulfilled. A company may be requested by the supervisory authority to submit the processing directory at any time. It serves as proof that the provisions of the GDPR are complied with for the supervisory authority. However, the processing directory also aims to demonstrate transparency for the processing of personal data in your company.
Contents of the processing directory
In a processing directory, you document the activities of your agency, such as the common business processes, as well as the types of data. You have always looked at the interaction with personal data. Some legal requirements must be met with the documentation.
Examples of agency-relevant business processes that are documented in a processing directory:
- Hosting a website at a hosting service provider
- Sending newsletters by means of an external provider
- Project management using an external tool
- Cooperation with freelancers, photographers etc.
In addition, the following data must be collected for each activity: scope, purpose of the processing, categories of personal data, categories of recipients, contractors (processors), legal basis for processing, data transfers to third countries or international organisations and deletion periods.
The creation of a complete and legally compliant processing directory is therefore quite complex. If there are changes to the processes or the above-mentioned legal requirements, these must be documented in the processing directory. It is therefore a continuous work and care that takes a lot of time.
