What for and why a procedure directory
It sounds complicated and what sounds complicated is first pushed aside. But that should rather not happen in this case. The procedure directory is an overview of the individual processing activities, i.e. all processes in a company that process personal data.
Does every company need a procedure directory
If data processing is carried out on a regular basis, a procedure directory must be kept. Even companies that employ less than 250 employees, as stipulated in Article 30 DSGVO (https://dsgvo-gesetz.de/art-30-dsgvo/), are obliged to document the processes in which they come into contact with personal data. To create the procedure directory, the data protection officer works together with the individual departments and proceeds systematically with his checklist-based inventory.
What does a procedure directory look like
The procedure directory should contain the following items, among others:
- Which process (e.g. applicant management, IT, purchasing, vehicle fleet)
- Names of the processor and the controller
- Entry date
- Contact details of the responsible person
- Description of processing/purpose
- Groups of persons concerned, data
- Recipient data, data from a third country
- Description of the protection of the data transfer to the third country
- Deletion periods
- IT security description
- Description of the physical security of the data
- Information pursuant to Articles 13 and 14 DSGVO
Of course, you should still find out about other necessary items in the directory.
If documentation of the data is incorrect or insufficient, it must be adjusted accordingly.
A detailed overview can help, showing which different processes are found in the company. (https://externer-datenschutzbeauftragter-dresden.de/leistungen/)