What is the use of directory submission

EU General Data Protection Regulation (GDPR): Sample processing directory for processors

Data processing directory with Word download and application example

The experts of the Austrian Economic Chambers have the following model of a data processing directory for their member companies in accordance with Article 30 (2) of the EU General Data Protection Regulation (GDPR) for Processor created.

A fictitious example that has already been filled out is available as an aid to filling out the form under “Application example for those responsible” (PDF version) in the download area.

The stored watermark "Pattern" can easily be removed from the Word document.


Data processing directory according to Art 30 Paragraph 2 EU General Data Protection Regulation (GDPR) - (Processor)

content

  1. Master sheet of the processor
  2. Master sheet of the person responsible and information on order data processing
  3. General description of the organizational and technical measures

Master sheet of the processor

  1. Name and contact details of the processor (s)

    1. Name and address:

    2. E-mail address (and any other contact details such as phone number):

    3. Name and contact details (address, e-mail and any other contact details such as telephone number) of the data processor's data protection officer [1]:

Master sheet for the person responsible on whose behalf data is processed and information on order data processing

  1. Name and contact details of the person (s) responsible (jointly) for processing (= client)

    1. Name (s) and address (es):

    2. E-mail address (es) (and any other contact details such as phone number):

    3. Name and contact details (address, e-mail and any other contact details such as telephone number) of the data protection officer: [2]

    4. Name and contact details (address, e-mail and any other contact details such as telephone number) of the representative of the person responsible: [3]

  2. Categories of processing that are carried out on behalf of the specific controller(Indication of the service offered in connection with the processing of personal data)

  3. Transfer of personal data to third countries, including international organizations

    1. Yes No
      If so, please state the relevant third country or international organization:

    2. Documentation of the appropriate guarantees made in the event of a transfer to third countries that is not based on Art 45, 46, 47 or 49 Paragraph 1 Subparagraph 1 GDPR (especially if there is no adequacy decision of the European Commission, no standard contractual clauses of the European Commission or the national data protection authority are used or approved certification mechanisms are used, no binding corporate rules are applied (approved, binding internal data protection regulations), the transmission is not required for contract fulfillment purposes or there is no express consent): [4]

General description of the technical and organizational measures

  1. Confidentiality: [5]
  2. Integrity: [6]
  3. Availability and resilience:
  4. Pseudonymization and encryption:
  5. Evaluation measures:

[1] If a data protection officer has been appointed on a mandatory or voluntary basis. Whether the information of the data protection officer of the person responsible in the processing directory of the processor (under point B) is mandatory cannot yet be conclusively clarified due to the formulation of the provision of Art 30 Paragraph 2 lit a GDPR; however, citing them can make it easier to work with the person responsible in individual cases.

Note: If there is no obligation to appoint a data protection officer, but the person responsible would like to appoint one voluntarily, all provisions of the GDPR relating to the data protection officer must still be complied with; if you do not want that, the appointed person must not "Data protection officer"But a different designation should be chosen (e.g."Data protection coordinator"). This can, but does not have to be included in the processing directory. See the WKO leaflet "Data protection officer".

[2] Whether the data of a data protection officer appointed by the person responsible is also to be documented in the processing directory of the order processor cannot be clearly read from the text of the regulation. For pragmatic reasons, however, it seems to make sense to include this data (if available) in the directory, as it facilitates the data protection cooperation between the controller and the processor.

[3] This includes representatives of those responsible who are not established in the EU.

[4] See the WKO leaflet “International Data Traffic”.

[5] Prevention of (unintentional) disclosure or unauthorized access to personal data.

[6] Prevention of (unintentional) destruction / destruction, (unintentional) damage, (unintentional) loss, (unintentional) modification of personal data.