Springe direkt zu Inhalt

Record of Data Processing Activities

Background Information on Records of Data Processing Activities at Freie Universität Berlin and How to Create and Maintain Them

This information is intended to help the creators of records of data processing activities pursuant to Article 30.1 GDPR understand the data protection background and purpose of the record of data processing activities so that they can correctly create and maintain this record for relevant processing activities.

Background Information

General Information

The purpose of data protection regulations is to protect individuals from unauthorized infringement of their general right to privacy, specifically of their right to informational self-determination. The relevant regulations that lay out specific requirements are the GDPR, Germany’s Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), the Berlin State Data Protection Act (Berliner Landesdatenschutzgesetz, BlnDSG), and the Berlin Higher Education Act (Berliner Hochschulgesetz, BerlHG).

The “transparency principle” applies to all data protection rights. This means that the data controller must prepare documentation for data subjects and relevant supervisory authorities about which personal data will be collected, processed, and stored, on which legal basis, and for which purpose. The controller fulfills its documentation duty by creating and maintaining the record of data processing activities. This record simultaneously serves as the basis for the data protection officer and the supervisory authorities to check the legality of the data processing activities.

Not keeping a record of processing activities pursuant to Article 30 GDPR runs the risk of considerable sanctions for the controller, up to and including the prohibition of using certain systems or procedures.

What is personal data, and what does processing activity mean?

Data is personal as soon as, and as long as, it can be assigned to an identified or identifiable natural person. A person is identifiable when the identity of that person can be clearly determined through assignment of an identifier (such as a number) or other distinguishing mark. For example: A relation to a particular person can be restored even when a dataset uses only the student ID number instead of the first and last name of a student. The data in this dataset therefore constitute personal data. Other examples of personal data include: Social insurance number, tax ID number, banking information, IP addresses.

The terms “processing” or “processing activities” mean one or more procedures in connection with personal data that contribute to a common purpose and are usually performed completely automatically, or even semi-automatically (machine-controlled and program-controlled). One example is the processing of personal data for payroll purposes. Another feature is the repeatability of the processing procedure. The record of data processing activities should not usually include any of the small-scale, individual steps in processing. It should include such elements only when they can be summarized into a higher-level processing procedure.

Typically, a record must be created for processing activities for the following purposes:

Verarbeitung von personenbezogenen Daten (insbesondere von Studierenden, Mitarbeiter*innen, Externen)

  • Processing of personal data (particularly of students, staff members, external persons)
  • Calculating wages and salaries
  • Sending newsletters
  • Managing projects funded by third parties
  • Research, particularly conducting studies
  • Event organization/project management
  • Personnel management
  • Student records (evaluations, examination results, examination records, etc.)

Usually, no record must be kept for the following procedures:

  • Activities that process no personal data or only anonymized data, such as material databases or development tools
  • Storage space for, e.g., databases, documentation of processes, projects, or products in which editors and participants could be named (such as the author and last editor of a document, meeting minutes, or other documents including the creation/modification data) insofar as these do not contain any further personal data
  • Software orders of individual professors, researchers, students, etc.
  • Static lists such as address lists, participant lists

Who is responsible for creating and maintaining records of processing activities?

The data controller is responsible for creating individual records of processing activities. “Data controller” means the natural person who individually or collectively (in “Joint Controllership”) decides about the purpose for and means of processing personal data. In addition to this formal responsibility, it makes sense in practice for staff members who are entrusted with managing data processing to create the record of processing activities.

When must a record of processing activities be created?

These records must be created or updated for all existing data processing activities as well as when implementing new processing activities or modifying existing ones. When starting new data processing activities, the university staff member responsible for implementing the new processing activity (project leader, head of unit or, if these roles do not apply, the staff member technically responsible for the processing activities) has the responsibility to enter the processing activities in the Freie Universität Berlin record of data processing activities.

Notifying the Data Protection Officer (DPO)

The DPO must be informed as soon as possible about the new or updated entry in the record of data processing activities. The DPO then checks whether the procedure is permitted under data protection regulations and if a Data Protection Impact Assessment by the DPO is necessary.