The GDPR requires business owners to maintain a register of processing activities (Article 30 GDPR). In this second part on the VVT, you will learn what the content of a VVT must look like.
Read here Part 1 of the VVT series on the obligation to keep a VVT.
How is a VVT structured?
The obligation to keep a VVT is stated in Art. 30 GDPR. The directory forms the core of every data protection management system (DSMS) and enables an overview of all processing operations taking place in a company.
For this purpose, a VVT roughly contains two parts: On the one hand, basic data such as the name and contact details of the controller or processor and, on the other hand, the individual processing activities. The mandatory content for the directory of a processor is somewhat less (Art. 30 II GDPR) than for a controller (Art. 30 I GDPR). This is mainly due to the fact that they are bound by instructions. Learn more about the distinction between a controller and a processor here.
How to create a VVT?
Whether you are a controller or processor: You can create your VVT in these three simple steps.
Step 1: Basic data in VVT
The directory contains first of all the basic data about the person who creates the VVT.
A responsible person indicates here his name and contact details as well as those of his representatives. If more than one is responsible, this information must be provided for all responsible persons. If the Obligation to appoint a data protection officer, its name and contact details must also be provided.
In addition to its own name and contact details, a processor must also state those of the respective principal and, if applicable, its data protection officer.
Step 2: Processing activities in the VVT
Second, the directory contains a list of all processing activities that take place. Processing activities are defined in Art. 4 No. 2 GDPR. First of all, the author of the directory must keep in mind which processing operations occur in which areas of his company. It must also be considered which software is used and to what extent it processes personal data. The VVT may also be divided into superordinate groups for clarity.
From this step at the latest, it is worthwhile to consult a data protection officer. Especially a external data protection officer can have a better overview of everything that is happening here from the outside.
Step 3: Specify processing activities
For the individual processing activities, it is also mandatory to provide the respective details from Art. 30 of the GDPR.
A controller must specify the following: Purposes of processing, categories of data subjects, data and recipients, if applicable, information on transfer to third countries, deletion/retention periods, technical-organizational measures (TOMs). For this information, reference can also be made to existing documents such as overview of TOMs (security concept), data protection impact assessment, data protection or deletion concept.
A processor only needs to specify the categories of processing that it carries out on behalf of the respective controller. Moreover, no deletion periods apply to his VVT.
What else to consider
The VVT must be kept in writing. Electronic form is also sufficient for this purpose. There is only a disclosure obligation if the supervisory authority requires this. In the event of requests for information from data subjects, the VVT can be used internally as an aid.
The VVT must be kept current and regularly updated by the author. It is advisable to make changes in such a way that they can be tracked for some time afterwards.
For an exemplary VVT, it makes sense to appoint a data protection officer. We offer ourselves as an external data protection officer. Feel free to contact us also in other matters concerning data protection! Our team of experts will be happy to help you with an individual solution.