• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

German DPAs to Create Model Processing Records for GDPR Compliance

August 15, 2016 By Daniel Felz

On May 25, 2018, the EU General Data Protection Regulation (GDPR) enters into force.  One of the major changes the GDPR introduces is a duty for in-scope controllers and processors to maintain written records of processing activities.  Under Article 30 GDPR, companies will need to inventory all “processing activities under [their] responsibility” and memorialize them in a written record setting forth, inter alia, the purposes of processing operations, international transfers, and retention periods.  Companies must provide their processing records (sometimes informally referred to as a “processing inventory”) to EU data protection authorities (DPAs) upon request.

Last week, the DPA for the German state of Bavaria issued a circular discussing Article 30 GDPR’s new recordkeeping requirements.  Many of the points the Bavarian DPA raised will not come as surprises to companies that have spent time getting to know the GDPR, such as:

  • Article 30 GDPR introduces a major change: not just controllers, but also processors must maintain processing records and produce them to DPAs upon request;
  • Company-maintained processing records will displace the present regime of DPA notifications for certain processing operations and transfers;
  • Companies operating in Germany are already generally obligated to maintain an “index of processing activities” (Verfahrensverzeichnis), which can serve as a basis for generating GDPR processing records;
  • Failure to maintain processing records is subject to fines of € 10 million or 2% of worldwide annual turnover, as is the failure to produce processing records to DPAs upon request.

One question many companies are asking is “How detailed do our processing records need to be?”  The Bavarian DPA indicates it also sees this question as “intriguing,” especially since Article 30(1)(g) and 30(2)(d) only require a “general description” of a company’s technical and organizational information security measures “where possible.”

To help controllers and processors meet their recordkeeping obligations, the Bavarian DPA announced that the 17 German DPAs have formed a working group that will develop a Model Processing Operations Index for Article 30 compliance.  Currently, the German DPAs plan to release the Model Processing Operations Index in mid-2017.

The detail provided in the Model Index should be an invaluable resource for companies with operations or customers in Germany, and may set the tone for what DPAs throughout the EU expect under Article 30 GDPR.  Moreover, while Article 30 GDPR specifies the categories of information processing records must include, it does not specify format—and the Model Index may be the first DPA indication as to acceptable formats for Article 30 records.

*          *          *          *          *

Alston & Bird is closely following the Model Processing Operations Index as well as other important data-protection developments in Germany.  For more information, contact David Keating or Jim Harvey.

Filed Under: Data Protection, Data Security, Enforcement, GDPR, International, Legislation, Privacy, Regulation

About Daniel Felz

Daniel Felz is a senior associate with Alston & Bird’s Privacy, Cyber & Data Strategy Team. Dan leverages his extensive international experience to advise clients on global privacy, cybersecurity, technology, and adversarial matters.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
  • Colorado Issues Pre-Rulemaking Considerations for the Colorado Privacy Act
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.