Zum Inhalt Zum Hauptmenü

Suchformular

Companies must close data gaps

publiziert: 
Der Standard
Datum: 
9. April 2018

In preparation for the General Data Protection Regulation, a complete processing directory is required

In the beginning of each project for the General Data Protection Regulation (GDPR) stands the comprehensive record of the company's processing activities. Only on this basis, the further duties can be meaningfully fulfilled.

The great effort in practice required for implementation results primarily from the poor treatment of data protection to date. The basic parameters of the data protection law admissibility check have hardly changed. According to the old regime still in force, new processes must be reported to the data protection authority before they are put into operation. In addition, for risk-prone data applications, additional prior regulatory checks and approvals are required for data transfers to other EU countries.

Independent decision

With the applicability of the GDPR, in the future the processes must be comprehensively documented instead of being looped through the authority and checked internally for their admissibility under data protection law. It is thus moving away from being exempted by the authorities and towards an autonomous decision. The linchpin of the GDPR is the record of processing activities referred to in Article 30, which provides a complete overview of all data processing activities and flows. This is also the basis for future audits by the authority.

In addition to the existing DVR reports and the transfer of the applications of the Standard and Model Ordinance (StMV), which were previously exempted from the reporting obligation, comprehensive data collection is therefore necessary in practice in order to close gaps originating from the past. The following information must be collected and documented in a structured manner: ·

  • Name and contact details of the controller,
  • Purposes of the processing,
  • Categories of data subjects, data and recipients,
  • Description of appropriate guarantees for transfers to third countries,
  • Retention periods for erasure of data,
  • Technical and organisational security measures taken.

Allocation of data categories

It is particularly important to assign the individual data categories to the data subjects and to the respective recipients. Only on this basis, a legal assessment of the admissibility of the processing activities as well as the transmissions can be made. At the latest, when a data subject requests access, the record of processing activities is put to the test: If additional research work is then required to determine what data was used or transmitted for what purpose, the directory is incomplete.

Irrespective of this, the record is also the most important basis for the company itself for all subsequent measures in preparation for the implementation of the GDPR: Whether and to what extent data protection impact assessments are necessary, when a data protection officer is to be appointed, how the rights of data subjects are ensured across systems or which technical and organisational security measures are to be taken can only be determined on the basis of a complete overview of the data applications implemented by the company.



© 2020 · DORDA · Facebookinstagramlinkedin  PODCAST

wirschaffenklarheit