Companies must close data gaps


Companies must close data gaps

Der Standard
2018, April 9

In preparation for the General Data Protection Regulation, a complete processing directory is required

In the beginning of each project for the General Data Protection Regulation (GDPR) stands the comprehensive record of the company's processing activities. Only on this basis, the further duties can be meaningfully fulfilled.

The great effort in practice required for implementation results primarily from the poor treatment of data protection to date. The basic parameters of the data protection law admissibility check have hardly changed. According to the old regime still in force, new processes must be reported to the data protection authority before they are put into operation. In addition, for risk-prone data applications, additional prior regulatory checks and approvals are required for data transfers to other EU countries.

Independent decision

With the applicability of the GDPR, in the future the processes must be comprehensively documented instead of being looped through the authority and checked internally for their admissibility under data protection law. It is thus moving away from being exempted by the authorities and towards an autonomous decision. The linchpin of the GDPR is the record of processing activities referred to in Article 30, which provides a complete overview of all data processing activities and flows. This is also the basis for future audits by the authority.

In addition to the existing DVR reports and the transfer of the applications of the Standard and Model Ordinance (StMV), which were previously exempted from the reporting obligation, comprehensive data collection is therefore necessary in practice in order to close gaps originating from the past. The following information must be collected and documented in a structured manner: ·

  • Name and contact details of the controller,
  • Purposes of the processing,
  • Categories of data subjects, data and recipients,
  • Description of appropriate guarantees for transfers to third countries,
  • Retention periods for erasure of data,
  • Technical and organisational security measures taken.

Allocation of data categories

It is particularly important to assign the individual data categories to the data subjects and to the respective recipients. Only on this basis, a legal assessment of the admissibility of the processing activities as well as the transmissions can be made. At the latest, when a data subject requests access, the record of processing activities is put to the test: If additional research work is then required to determine what data was used or transmitted for what purpose, the directory is incomplete.

Irrespective of this, the record is also the most important basis for the company itself for all subsequent measures in preparation for the implementation of the GDPR: Whether and to what extent data protection impact assessments are necessary, when a data protection officer is to be appointed, how the rights of data subjects are ensured across systems or which technical and organisational security measures are to be taken can only be determined on the basis of a complete overview of the data applications implemented by the company.


Alle Angaben auf dieser Website dienen nur der Erstinformation und können keine rechtliche oder sonstige Beratung sein oder ersetzen. Daher übernehmen wir keine Haftung für allfälligen Schadenersatz.

The material contained in this website is provided for general information purposes only and does not constitute legal or other professional advice. We accept no responsibility for loss which may arise from reliance on information contained on this site.