Spring cleaning for the record of processing activities (VVT)

Under the title “Früh­jahrs­putz im Ver­ar­bei­tungs­ver­zeich­nis” The Bavarian State Commissioner for Data Protection (BayLfD for short) has published a “current brief information” with the number 47 in the series of brief information. Even if one does not necessarily have to agree with the content requirements for a VVT on the part of the BayLfD (see also our contribution under what can be done better in this regard), the idea is still more than good, processes for the maintenance and the topicality of the register of processing activities to undergo a spring cure.

The sections of the short information are structured as follows:

  1. Orga­ni­sa­ti­on: Checking and, if necessary, tying down responsibilities and processes for creating the VVT, maintaining or keeping the VVT ​​up to date, reporting changes to existing processing but also processing that no longer exists: However, attention should not only be paid to the written regulation on this. This must also be up to date, which BayLfD is absolutely right about. But it is even more important that these regulations do not only exist on paper, but are filled with life. So ask: “Are the documented processes actually initiated and run through?”
  2. Check the directory entries themselves: Are these up to date? Are all new finishes included? Have previous changes been reported and entered? Have finished processing been reported and removed? If in doubt, some time has passed since the first creation within the framework of the GDPR and the entries are a bit dusty. Checking is better than trusting that changes have somehow already been reported to the DPO.
  3. leverage synergies: It’s a shame that the BayLfD didn’t mean or include the synergies, for example for information security. But even so, the point is very important, because numerous other tasks in data protection for the responsible bodies can only be managed with an up-to-date VVT. This starts with the correct and complete processing of the rights of data subjects, continues with a list of current processors and does not end with the information on the information obligations from Art. 13, 14 GDPR.
Ironically, there is a fourth section “Fol­gen feh­len­der Aktua­li­tät”. As is well known, public bodies are exempt from noticeable, i.e. painful, consequences in the context of state data protection laws if data protection regulations are disregarded. But maybe the reference to the raised index finger from Munich will also help “You you you! You should stick to the GDPR and the BayDSG” 🙂

But regardless of whether your own organization is a public or non-public body: How up-to-date is your VVT?

