Files for processing index

In order to comply with GDPR, the first thing you have to do is a record of all your data processing activities - we call it a processing index.

Get started with the processing index

In the records of your processing activities, you have to list the following information (Article 30 GDPR):

  1. name and contact details of the controller (= responsible person)
  2. if applicable: name and contact details of the controller's representative and data protection officer
  3. the purpose of the data processing:
    accounting, marketing, newsletter, payroll, video surveillance, ...
  4. legal justification
    legal obligation, fulfilment of contract, legitimate interest of controller, consent, ...
  5. data categories:
    employees, clients, suppliers, interested people,...
    and categories of personal data:
    name, address, IP-address, birthdate, ...
  6. categories of recipients:
    hosting provider, cloud storage, external accountants, legal authorities, ...
  7. if applicable: transfers of data to third countries or international organisations and suitable safeguards
  8. deleting deadlines for different data categories:
    bookkeeping documents for 7 years, website interests for 1 year, ...
  9. general description of technical and organisational security measures:
    encryption, pseudonymisation, backup, access control, ...

This is a processing index you have to create and maintain in order to be compliant with EU GDPR because this is the basis for all further analysis, information and documentation.

If you are processing data for other companies, you are - in terms of GDPR - a processor on behalf of the original controller. In this case, you have to maintain a record of all processing activities you are carrying out on behalf of the controller. This processing index has to consist of the following content:

  1. name and contact details of processor
  2. name and contact details of controller on behalf of which the processor is acting
  3. if applicable: name and contact details of the representative and data protection officer
  4. categories of processing
  5. if applicable: transfers of data to third countries or international organisations and suitable safeguards
  6. general description of technical and organisational security measures

Processing index completed ... and now?

While creating and recording your activities, you will find out what kind of data you are processing. For GDPR, you have to ensure through technical and organisational measures (TOM) that this personal data is stored, transmitted, processed, ... in a safe way. Specially, if you are

  • processing huge amounts of data or
  • special categories of data (Article 9 GDPR) or
  • there is a high risk for freedom and rights of natural persons

you need to implement a DPIA. In other cases, you have to conduct a DPIA if there is a high risk in a processing activitiy.

After completing the processing index, you also know with which processors you will have to make a contract to guarantee appropriate technical and organisational measures for data protection and safety. 

You will also have to check all your public statements about data processing and you have to ensure that you are informing the people in advance whenever you collect or process their personal data. If you receive personal data from a third party, you have to inform people about the data processing activity before you process it for the first time - at least within a month.

 

End of Service

Thank you for your interest in this GDPR tool.

We've decided to quit with this service at end of September 2023.
Former customers can download their PDFs until the end of September 2023.