1. Help-Center
  2. Robin Data Software
  3. Top navigation: Data protection

Manage the record of proccessing activities

The record of processing activites is the central document for demonstrating data protection in an organisation. It is therefore mandatory for any type of organisation. It is expedient to keep this record digitally.

 

Background 

According to Art. 30 of the GDPR, every organisation is required to maintain a record of processing activities. In everyday use, it is also referred to as a "records of processing".

In the records of processing activities all processes of the organisation in which personal data are processed are analysed. How detailed this analysis is carried out depends on the process and the risks involved in processing the person data.

Therefore, processes also summarise individual detailed processes in a larger context. For example, "applicant management" is often not subdivided into the sub-processes: 

  1. Receipt of the application
  2. Processing of the application
  3. Distribution of the application
  4. Failure of the applicant
  5. etc.

They are instead based on the definition of the processes, 

  • Which personal data (so-called "data categories")
  • For which purpose (e.g. "implementation of an application procedure")
  • On which legal basis (here: consent of the applicant, initiation of an employment contract and legitimate interest of the employer)
  • How it is processed (here: by e-mail, by file server)
  • Who receives this data (here: HR department, relevant specialist department, management)

By considering these and other aspects, it becomes clear to the processor of such a process whether the processing is lawful and appropriate, whether there are risks for the data subjects, and perhaps also at which point such a process, or its sub-processes can be optimised. 

Furthermore, the directory of processing activities provides a good overview of which IT systems or documents are used in the organisation to process personal data. 

This question is important in order to clarify whether a so-called processor has been involved in the processing. Special contractual arrangements would then have to be made with this processor. 

For more information on the record of processing activities, see our wiki article on the subject

Manage the record of processing activities

  1. In the main menu click on Data protection: A dropdown menu will open. 
  2. In the dropdown menu click on List of processing activities: The table view will open. 

The general functionality of the table view is described in the article Using the table view

In the table view, you can see the overview of the already created processing activities. 

 

The video is currently only available in German. 

 

Import processing activity

  1. In the main menu click on Data protection: A dropdown menu will open. 
  2. In the dropdown menu click on List of processing activities: The table view will open. 
  3. In the table view click on the button +Processing activity: A slider will open through which the processing activities can be imported from the data base.

Import processing activity

Click to enlarge the image

The slider has the following data areas: 

  • Industry: Select the industry that applies to your company from more than 350 industries. 
  • Search: Use the search function to look for processing activities from your company.
  • Table: 
    • Checkboxes: In the table, you will find a checkbox in the first column that allows you to select processing activities. 
    • Title: In the column "Title" you will find the processing activities.
    • Applies to departments: The last column on the right shows you in which area the processing activity applies. 
  • Rows per page: Set how many rows you want to be displayed per page. The default setting is 25 lines per page.
  • Pagination: Switch between the different pages. 
  • Show all /Show non-existent: In so far as you have already imported processing activities, you can hide the already imported processing activities from the table by clicking the button to the right on "Show non-existent".
  • Import: By clicking on "Import", the processing activities selected via the checkboxes in the table are transferred to your data protection documentation.

You are a client of Robin Data and you are missing a processing activity in your database? 

Robin Data will generate missing processing activities for clients upon request. In this case, please contact us via support@robin-data.io and briefly describe the missing processing activity. 

Create processing activity

  1. In the main menu click on Data protection: A dropdown menu will open. 
  2. In the dropdown menu click on List of processing activities: The table view will open. 
  3. In the table view click on the button +Processing activity: A slider will open.
  4. In the slider click on the button Create processing activity: An empty input mask will open. 
  5. Fill out the fields in the input mask.
  6. Click on Save: The processing activity has been created. 

Create processing activity

Click to enlarge the image

The form has the following data areas: 

  • Specification: Edit the title, description, and organisational controller of the processing activity.
  • Legal basis: Define the purpose of the processing activity, its legal basis and justify your own interests in using this process. 
  • Data subject: Record which data are collected by whom in this processing activity.
  • Recipient: Analyse where the data from this procedure flows to.
  • Risk assessment: Assess the risk of the data processing for the data subjects according to a checklist. 
  • Technical-organizational measure: Select an applicable TOM from the drop-down menu.
  • Status & Release: Record the status and release cycle of the processing activity.
  • Notes: Make notes on the processing activity.

By clicking on the respective tab entries on the left side of the screen, you can switch between these data areas. 

Data area: Specification

This data area has the following form fields:

  • Title: Provide a short title (e.g., application intake, social media activities) indicating which processing activity you are documenting.
  • Description: Give a compact description of how the procedure (e.g., the receipt of applications) is carried out in your organisation. This description should describe the sub-steps of the process on which the procedure is based.
  • Applies to locations: Indicate at which locations of the organisation this processing activity applies. One or more locations may be specified. Especially centrally organised processes (e.g., Human Resources Management) are the same for several or all sites of an organisation. 
  • Applies to departments: Indicate in which department (e.g., departments or divisions) of the above locations this processing activity applies. 
  • Controller: Enter the controller (process owner) of the process. This is a person you have already identified or have yet to identify under Data protection > Persons (Manage persons help page).  
  • Processing activity of joint controllers: Enter if this is a process operated by joint controllers according to Art. 26 GDPR.

Data area: Legal basis

This data area has the following form fields: 

  • Purpose of processing: Indicate the purpose for which the process is operated. According to Art. 5 (1)(c) GDPR, the purpose must be adequate and relevant, and limited to what is necessary for the purpose of the processing. As a rule of thumb, one could say that purposes that one does not approve of oneself are not suitable to justify a processing of personal data. 
  • Legal basis in data protection law: Indicate the data protection-related legal basis of the processing. In addition to federal data protection laws (GDPR, BDSG), specific data protection laws of the federal states as well as of the Catholic and Protestant churches and other religious organisations may apply here. According to 140 GG, recognised religious communities have the option of enacting their own data protection laws or data protection regulations. Article 91 of the GDPR confirms this fact.
  • Special legal bases: If the data processing of the processing activity is based on Article 6 (1) (c) of the GDPR (a legal obligation, e.g., transfer of wage data to the tax office) and Article 6 (1) (e) of the GDPR (a task in the public interest or in the exercise of official authority, e.g., food inspections by appointed inspectors), the specific legal bases applied should be specified here. These are very diverse according to the sector of the organisation. 

If you are missing a legal basis, we would be happy to receive an e-mail to: support@robin-data.io.

Data area: Data subject

This data area has the following form fields: 

  • Data subjects: Indicate the data subjects whose personal data are processed in this processing activity. 
  • Types of data: Enter the data types used in this process. Data types summarise categories of data and are usually concrete documents such as: testimonials, business letters, etc. Selecting the data type will automatically select the associated data categories.
  • Data categories: Enter the categories of personal data (e.g., surname, first name, e-mail address, etc.) that will be processed in this process.

Data area: Recipient

This data area has the following form fields: 

  • Internal receiver: Select which internal receivers within your organisation will receive and process personal data from this process. 
  • External receiver: Select which external receivers within your organisation will receive and process personal data from this process. If the list is empty, you must enter the external recipients relevant to you under Data protection > External contacts
  • Service provision: Specify which service provider or product of the external contacts is used in this process.
  • Data transmission to countries: Specify the countries to which personal data of the process will be transferred. A transfer of personal data to a third country (country outside the EU or a country without adequate data protection guarantees) is another measure for which Robin Data creates a corresponding activity for later processing.
  • Assigned contract: Select one or more contracts associated with the process. If no contract appears in the list, you must set an appropriate contract under Data protection > Contracts with external contacts

Data area: Risk assessment

In this data area, you assess what risks the process poses to data subjects. It may be necessary to create a data protection impact assessment under Data protection > Data protection impact assessment.

As a rule of thumb, a data protection impact assessment is required if at least 2 or more of the following criteria are met. However, each risk assessment is a case-by-case decision made by the controller.

  • Automated individual case decisions are implemented: Examples are Schufa or credit decisions at banks.
  • Data of vulnerable data subjects are processed: Examples are the processing of children or disabled persons. See also glossary data protection.
  • Transmission of personal data outside the EU takes place: Example is the transfer of this data outside a company to unsafe third countries such as China.
  • Novel technologies are used: Examples include the use of data mining, big data, or machine learning.
  • Scoring, profiling, evaluation of persons is carried out: Examples include evaluating performance data in the workplace or sports, scoring to determine creditworthiness.
  • Data stocks of personal data are compared or merged: Examples are profiles in social networks or evaluation of different data sources at the workplace.
  • Systematic surveillance of persons is carried out: Examples are camera surveillance of workplaces or GPS tracking of cars or trucks or their drivers.
  • Large amounts of personal data are processed: Examples include companies that collect data on a large scale (Post, Google, Facebook) or have many customers (e-commerce retailers).
  • Difficulties in exercising the rights of the persons concerned exist: Examples include data processing in different countries with language barriers.
  • Sensitive personal data are processed: Examples include processing large amounts of health data (e.g., hospital) or processing financial data in a tax office.

Finally, make an assessment of the risks and determine whether a data protection impact assessment is required for this processing activity:

  • Risk assessment: The assessment of risks in this processing activity depends on how the individual criteria have been assessed. It is usually dependent on the context and should ideally be made jointly within the data protection organisation. If at leaste two of the above criteria are met, the risk should be assess as at least medium. If more than two criteria are met, the risk should be assessed as high. 
  • Data protection impact assessment required: If the risk is assessed as medium, a data protection impact assessment may be required. If the risk is assessed as high, a data protection impact assessment is mandatory. You can perform a data protection impact assessment under Data protection > Data protection impact assessment.

Data area: Technical-organizational measure

  • Technical-organizational measure: Use the search or scroll through the list of TOMs to store a corresponding technical-organisational measure.

Data area: Status & Release

In this data area it is possible to manage the status of a document and to map the release procedure of the document.

A processing activity is usually created by one person, for example the employee of a specialist department. 

In addition to this person, another person should check whether the process complies with the law. This can be done by the data protection officer, for example. At the end of the chain, someone must officially approve the processing activity. This can be done, for example, by the supervisor.

This data area has the following form fields:   

  • Status: Indicate the current processing status of the processing activity.
  • Created by: Indicate the person who created this processing activity.
  • Created on: Enter the date on which the creation of this processing activity was completed.
  • Tested by: Enter the person who audited this processing activity.
  • Tested on: Enter the date on which the audit of this processing activity was completed.
  • Released by: Enter the person who released this processing activity.
  • Released on: Enter the date this processing activity was released for use.

Data area: Notes

This field provides space for your notes on this processing activity.

Edit processing activity

  1. In the main menu click on Data protection: A dropdown menu will open. 
  2. In the dropdown menu click on List of processing activities: The table view will open. 
  3. In the table view click on the Title column of a processing activity: The processing activity will open. 
  4. Edit the processing activity.
  5. Click on Save: The changes to the processing activity have been saved. 

The different data areas are explained in more detail in the item Create processing activity. In addition, you will find the data areas "Activity" and "Reference" on the right side of the input mask.

Edit processing activity

Click to enlarge the image

Data area: Activity

This data area displays all activities that are linked to your processing activity. To create an activity, click the "Create activity" button at the top right. This will open a new input form. For a more detailed explanation, please refer to the article Activity manager.

Data area: Reference

This data area displays all deletion classes that are linked to your processing activity. To create a erasure class, click the "Create erasure class" button at the top right. For more information on creating deletion classes, please refer to the article Erasure concept

Copy direct links to processing activities

  1. In the main menu click on Data protection: A dropdown menu will open. 
  2. In the dropdown menu click on List of processing activities: The table view will open. 
  3. In the table view click on the Title column of a processing activity: The processing activity will open. 
  4. Click on the orange symbol next to the document ID: The link to the processing activity has been saved to your clipboard and can be copied.
    direktlink-zu-datensatz

Further links

Further questions? - We are here for you.

If you have any questions about the software, please contact our support team. You can reach us at support@robin-data.io.