Article 30 GDPR: What are the requirements?

Article 30 GDPR

Creating a list of processing activities

Companies use various metrics to analyze their performance in areas such as marketing, sales, customer success, human resources, finance or IT. Creating a record of processing activities can streamline and connect all of these efforts. All companies are expected to provide information in their privacy policy about the purposes for which they process the personal data of their customers and other data subjects. The record of processing activities provides an excellent overview of the activities of individual departments, the processes of your company and the handling of personal data.

Artikel 30 verpflichtet jedes Unternehmen, das als datenschutzrechtlich Verantwortlicher im Anwendungsbereich der DSGVO tätig ist, ein “Verzeichnis von Verarbeitungstätigkeiten” (VVT) in schriftlicher (auch: elektronischer) Form zu führen. Das VVT bietet einen umfassenden Überblick über die Verarbeitung personenbezogener Daten im Unternehmen. Auch Auftragsverarbeiter müssen ein VVT über diejenigen Prozesse führen, die sie im Auftrag ihrer Auftraggeber durchführen. Aus dem VVT geht das Wie und Warum einer Datenverarbeitung hervor. Das VVT muss der Aufsichtsbehörde auf Verlangen vorgelegt werden.


Article 30 GDPR: What exactly is a "processing activity"?

Der Begriff “Verarbeitungstätigkeit” wird in der DSGVO nur unzureichend definiert. Daher kann es zu Unklarheiten kommen, was in welchem Detailgrad dokumentationspflichtig ist. Im Allgemeinen stellt die DSGVO die Anforderung, die einzelnen Prozessschritte zu dokumentieren, in welchen personenbezogene Daten von Mitarbeitern, Kunden oder sonstiger Betroffener verarbeitet werden. Gleiches gilt für die Rechtsgrundlage und Zwecke einer jeden Datenverarbeitung.

Article 30 GDPR: The record of processing activities  

Article 30 GDPR defines the content of the record of processing activities. In addition to the name and contact details of the company and the data protection officer, if any, the following information must be documented for each processing of personal data:

  • Purpose of processing - Why and for what purpose do you use personal data?
  • Categories of data subjects - employees, customers, etc.
  • Categories of personal data - contact, financial, health data, etc.
  • Categories of recipients - To whom is the data disclosed?
  • Information about recipients outside the EU/EEA
  • Deletion periods
  • Description of the technical and organizational security measures / protective measures

You need a legal basis for all data processing. It is absolutely helpful to record this in your DPA. In the case of data processing based on Article 6(1)(f) GDPR, you must also document the respective legitimate interests pursued by the controller or a third party.  

Article 30 GDPR: Examples of processing activities

Examples of the processing of employee data may include the following:

The use of special software or devices with which employee data is collected, processed or used (e.g. systems for e-recruiting, payroll accounting, time recording, digital personnel files, electronic access controls, video surveillance).


Article 30 GDPR: What impact does it have on my company?

Article 30 GDPR stipulates that all companies with more than 250 employees must keep a record of processing activities. It must be submitted to the supervisory authority for review upon request.  

Before a company starts to create a DPA, it must first analyze which categories of personal data it processes, where the data is stored and how the data flows inside and outside the company. This also forms the basis for compliance with other requirements of the GDPR, such as Article 6 (establishing a legal basis for processing), Article 7 (conditions and requirements for obtaining consent) and Article 13 (information obligations).


Article 30 GDPR: Are there templates for a VVT?

There are many templates for a VVT available online. Specialized software such as 2B Advice PrIME contains catalogs or templates to help you fulfill the documentation requirement by creating easy-to-answer online surveys that can be forwarded to the relevant specialist managers.

For example, a VVT questionnaire could ask these questions:

- Why do you process personal data?

- Whose data do you process?

- What types or categories of data do you process?

- How long do you store the data / when do you delete this data?

- What measures do you take to protect this data?

- With which third parties or providers do you share this data?

These questions should be answered by every internal department and business unit that processes employee or customer data.


Checklist Article 30 GDPR: How to master the challenge

Before a company can begin to create a DPA, it must first analyze which categories of personal data it processes, where the data is stored and how the data flows inside and outside the company. This also forms the basis for compliance with other requirements of the GDPR, such as Article 6 (establishing a legal basis for processing), Article 7 (conditions and requirements for obtaining consent) and Article 13 (information obligations).

1. develop a standard questionnaire for the data protection impact assessment

2. define uniform guidelines and procedures for important requirements such as deletion obligations or technical and organizational measures

3. set risk thresholds to identify areas for improvement

4. check whether all data processing has a valid legal basis

5. update your privacy policy accordingly

6. maintain the electronic VVT regularly

These are some of the first steps to put a company on the path to data protection compliance. Other factors can include service provider audits or conducting employee training to minimize the risk of a data breach.

Article 30 GDPR: What are the penalties for violations?

The supervisory authorities are authorized to impose significant fines on controllers or processors. Fines can be imposed for a variety of infringements, e.g. for non-compliance with Article 30 GDPR. In this case, fines of up to €10,000,000 or up to two percent of the previous year's global turnover, whichever is higher, may be imposed.

Can the new Californian CPRA regulation be compared with Article 30 GDPR?

Eine der weitreichendsten Bestimmungen des CPRA, 1798.185(a)(15), ähnelt Artikel 30 DSGVO insofern, als sie von Unternehmen die Durchführung jährlicher Cybersicherheitsaudits und “regelmäßiger” Risikobewertungen verlangt, wenn die “Verarbeitung personenbezogener Daten von Verbrauchern durch das Unternehmen ein erhebliches Risiko für die Privatsphäre oder Sicherheit der Verbraucher darstellt”. Bei der Bestimmung, ob die Verarbeitung “ein erhebliches Risiko” darstellt, identifiziert das CPRA zwei Faktoren, die zu berücksichtigen sind. Erstens: Die Größe und Komplexität des Unternehmens; zweitens: Die Art und den Umfang der Verarbeitungstätigkeiten.

The main difference is that the CPRA also requires a company to regularly submit a risk assessment to the California Privacy Protection Agency (CPPA) in relation to its processing of personal data.

Final thoughts: What should you do next regarding Article 30 GDPR?

If you are based in Europe, expanding into Europe, acquiring a business in Europe or merging with a business in Europe and you want to move from creating and maintaining your DPA from Excel or other templates to an integrated, data protection compliant management system, 2B Advice can support you. Our robust 2B Advice PrIME software was developed in Germany, at the heart of data protection culture. 2B Advice PrIME has been designed to meet the strictest requirements of the GDPR and European supervisory authorities.

Arrange a consultation today.


Share this post :

Popular Categories


Get free tips and resources right in your inbox, along with 10,000+ others