The GDPR requires companies to maintain a register of processing activities (Article 30 GDPR). In this first part on the VVT, you will learn who must keep such a register and what the consequences are in the event of a breach.
Read here the part 2 of the VVT series on the content of a VVT.
Why a VVT at all?
The obligation to keep a VVT is stated in Art. 30 GDPR. The directory forms the core of every data protection management system (DSMS).
The directory provides an overview of all processing operations taking place in a company. This overview makes it easier to monitor these processes. It also makes it easier to assess risks and identify the need for action.
Behind the regulation on VVT is not least the accountability principle (Art. 5 II GDPR). It also increases control and transparency.
When is a VVT mandatory?
According to Article 30 of the GDPR, every controller and processor is obliged to maintain a VVT. The content of the directories differs depending on whether the directory keeper is a controller or a processor. For the controller, the listing in Art. 30 I GDPR applies, whereas for the processor, the listing in Art. 30 II GDPR applies.
Learn more about the content of a VVT here.
The definitions of controller and processor can be found in Art. 4 No. 7 and No. 8 GDPR. More on the distinction between controller and processor can be found at here.
When am I exempt from the obligation to keep a VVT?
If the responsible party has fewer than 250 employees, it may generally be exempt from maintaining a VVT. However, there are three fallback exceptions to this exemption: A VVT is nevertheless mandatory again if processing takes place that either poses a risk to the rights and freedoms of data subjects (e.g., surveillance measures), is not only occasional, or concerns special categories of data (Art. 9 or 10 GDPR). Especially the second re-exception (regular processing) covers almost all companies, so that in the vast majority of cases there is an obligation to keep a VVT even for companies with less than 250 employees.
What happens in the event of a violation?
If a person obliged to keep a VVT does not keep a VVT or keeps it incompletely, this constitutes a misdemeanor pursuant to Art. 84 IV lit. a GDPR.
The competent supervisory authority may then impose a fine.
You need support in matters of VVT and data protection? We offer ourselves as external data protection officers. Feel free to contact us for more information about our services!
Continue to part 2 to the VVT it goes here.