The GDPR requires business owners to maintain a register of processing activities (Article 30 GDPR). In this second part on the VVT, you will learn what the content of a VVT must look like.
Read here Part 1 of the VVT series on the obligation to keep a VVT.
How is a VVT structured?
The obligation to keep a VVT is stated in Art. 30 GDPR. The directory forms the core of every data protection management system (DSMS) and enables an overview of all processing operations taking place in a company.
A VVT roughly contains two parts: Firstly, basic data such as the name and contact details of the Controller or the processor and secondly, the individual processing activities. The mandatory content for the list of a processor is somewhat less (Art. 30 II GDPR) than for a controller (Art. 30 I GDPR). This is mainly due to the obligation to follow instructions. You can find out more about the distinction between controllers and processors here here.
How to create a VVT?
Whether you are a controller or processor: You can create your VVT in these three simple steps.
Step 1: Basic data in VVT
The directory contains first of all the basic data about the person who creates the VVT.
A responsible person indicates here his name and contact details as well as those of his representatives. If more than one is responsible, this information must be provided for all responsible persons. If the Obligation to appoint a data protection officer, its name and contact details must also be provided.
In addition to its own name and contact details, a processor must also state those of the respective principal and, if applicable, its data protection officer.
Step 2: Processing activities in the VVT
Secondly, the register contains a list of all processing activities that take place. Processing activities are defined in Art. 4 No. 2 GDPR. The author of the register must first consider which processing operations are carried out in which areas of the company. It is also important to consider which software is used and to what extent this personal data processed. The VVT may also be subdivided into higher-level groups for clarity.
From this step at the latest, it is worthwhile to consult a data protection officer. Especially a external data protection officer can have a better overview of everything that is happening here from the outside.
Step 3: Specify processing activities
For the individual processing activities, it is also mandatory to provide the respective details from Art. 30 of the GDPR.
A controller must specify the following: Purposes of processing, categories of data subjects, data and recipients, if applicable, information on transfer to third countries, deletion/retention periods, technical-organizational measures (TOMs). For this information, reference can also be made to existing documents such as overview of TOMs (security concept), data protection impact assessment, data protection or deletion concept.
A processor only needs to specify the categories of processing that it carries out on behalf of the respective controller. Moreover, no deletion periods apply to his VVT.
What else to consider
The VVT must be kept in writing. Electronic form is also sufficient for this purpose. There is only a disclosure obligation if the supervisory authority requires this. In the event of requests for information from data subjects, the VVT can be used internally as an aid.
The VVT must be kept current and regularly updated by the author. It is advisable to make changes in such a way that they can be tracked for some time afterwards.
For an exemplary VVT, it makes sense to appoint a data protection officer. We offer ourselves as an external data protection officer. Feel free to contact us also in other matters concerning data protection! Our team of experts will be happy to help you with an individual solution.