77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Create a processing list in accordance with Art. 30 GDPR: step-by-step guide
Data Protection & Privacy

Create a processing list in accordance with Art. 30 GDPR: step-by-step guide

19 June 202613 min readBy Lena Vogt
CIVAC

The processing directory is the central proof requirement according to Art. 30 GDPR. This guide shows which fields are mandatory, how a VVT can be set up in less than two weeks and which templates the supervisory authority accepts.

Article 30 GDPR obliges every controller and every processor, usually with more than 250 employees, but in many cases even fewer, to keep a register of processing activities. Federal and state regulatory authorities routinely request this list before they even begin substantive audits. Without a well-maintained VVT, the accountability obligation according to Art. 5 Para. 2 GDPR cannot be fulfilled in practice, and in the event of a data breach according to Art. 33 GDPR there is no basis for properly informing the supervisory authority within the 72-hour period. The Data Protection Conference points out in several short papers that an incomplete directory is not just a breach of form, but usually indicates structural deficits in the entire data protection organisation.

This guide describes which mandatory fields the directory must contain in accordance with Article 30 Paragraph 1 and Paragraph 2 GDPR, how a data protection officer sets it up methodically and which typical errors are immediately noticeable during audits. It is aimed at management, internal data protection officers and external consultants who not only want to create a VVT once, but also want to keep it as a living document in day-to-day operations. The templates mentioned are based on the templates of the Data Protection Conference (DSK) and are available in CIVAC's compliance platform and Officer-as-a-Service. Anyone who sees the directory as a control tool and not as a mandatory document also gains a clear overview of all data-driven processes and can address risks earlier.

Key Takeaways

  • The VVT ​​is not an Excel appendix, but the control document for every data breach report, information and supervisory audit.
  • Art. 30 Paragraph 1 GDPR requires twelve mandatory pieces of information per processing activity, Paragraph 2 requires seven for processors.
  • The 250-employee threshold only applies to a limited extent; risky or regular processing always requires documentation.

Who is obliged to maintain a VVT according to Art. 30 GDPR?

The obligation applies to every person responsible within the meaning of Art. 4 No. 7 GDPR and every processor within the meaning of Art. 4 No. 8 GDPR. The exception for companies with fewer than 250 employees mentioned in Art. 30 Para. 5 GDPR only applies if the processing is not risky, does not occur regularly and no special categories of personal data according to Art. 9 or Art. 10 GDPR are affected. In supervisory practice, this means: As soon as a company keeps personnel files, processes customer data, sends newsletters or accepts applications, the exception regularly no longer applies. The Data Protection Conference made it clear in its brief paper No. 1 that the threshold should be read as an exception to the rule and not as a de facto exemption for small and medium-sized companies.

For group structures, it should be noted that each legally independent unit must maintain its own VVT. A central group VVT is not sufficient, but can be organised as a folder in which each subsidiary contributes its own register. According to Art. 30 Para. 2 GDPR, contract processors such as IT service providers, payroll processors or cloud providers must keep an independent register of all processing that they carry out on behalf of their customers. Anyone who is unsure whether their own activity can be classified as processing on behalf or as joint responsibility according to Art. 26 GDPR should have the role clarified by the external data protection officer before the directory is created. Otherwise the architecture of the VVT ​​will be wrong at the root. Public bodies, associations with membership administration and professional associations are also subject to the obligation. A mere reference to an association or an umbrella organisation does not release the individual institution from responsibility. Anyone who has a location in another EU member state should also check whether the supervisory authorities there apply their own formal requirements that must be integrated into the group VVT.

The twelve mandatory fields according to Art. 30 Para. 1 GDPR in detail

Art. 30 Paragraph 1 GDPR lists the minimum information precisely. Firstly, the name and contact details of the controller, if applicable the joint controller, the representative and the data protection officer. Secondly, the purposes of the processing. Thirdly, a description of the categories of data subjects, such as employees, applicants, customers, suppliers or website visitors. Fourth, a description of the categories of personal data such as master data, communication data, contract data, health data according to Art. 9 GDPR or data on criminal convictions according to Art. 10 GDPR.

Fifth, the categories of recipients to whom the data has been or will be disclosed, including recipients in third countries. Sixth, any transfers to third countries or to international organisations specifying the guarantee instrument in accordance with Chapter V of the GDPR, such as an adequacy decision, standard contractual clauses or binding corporate rules. Seventh, the intended deletion periods for the individual data categories. Eighth, a general description of the technical and organisational measures in accordance with Art. 32 GDPR. In addition, in practice, the legal basis for each purpose, a reference to the data protection impact assessment according to Art. 35 GDPR, the person responsible in the department and the date of the last review are regularly included as a duty of accountability in accordance with Article 5 Paragraph 2 of the GDPR. Anyone who leaves out these four additional fields meets the formal minimum information, but fails in terms of accountability. In CIVAC workspace templates, these fields are created as separate fields so that filtering, search, and reporting functions can access them. This is particularly crucial for requests for information pursuant to Art. 15 GDPR, because the processing operations assigned to a person can be extracted directly without having to search in free text fields. An additional column for references to internal guidelines, such as deletion or authorisation concepts, further increases usability.

Structure in nine steps: from a blank page to an auditable directory

Step one is taking stock of the business processes. It makes sense to structure it according to specialist areas such as human resources, sales, marketing, IT, finance, purchasing and management. Step two: Recurring processing is identified for each department, such as applicant management, payroll, time recording, CRM maintenance, sending newsletters or video surveillance. Step three: The purpose of each processing is precisely formulated. The supervisory authorities do not accept vague formulations such as “internal purposes” or “business operations”. A good formulation, for example, is “Processing the application process including aptitude diagnostics up to the hiring or rejection decision.”

Step four is the determination of the legal basis in accordance with Article 6 GDPR and, if applicable, Article 9 Paragraph 2 GDPR. Step five is the clear description of the data categories and those affected. Step six includes the recipients including processors, third country transfers and intra-group transfers. Step seven is to determine the deletion periods, taking into account commercial and tax retention obligations under Section 257 of the German Commercial Code (HGB) and Section 147 of the AO. Step eight is the description of the TOM according to Art. 32 GDPR with reference to the ISMS and the ISO/IEC 27001:2022 controls. Step nine is approval by the data protection officer and storage in a versioned system. For this purpose, CIVAC provides a template with 16 structured fields in the workspace, which not only covers the mandatory information, but also creates a link to data protection impact assessments, order processing contracts and deletion concepts. This means that the VVT ​​becomes a control centre, not a mandatory file. Ideally, the development is organised in two sprints. The first sprint covers human resources, IT and finance, the second sprint covers customer-oriented processes in sales, marketing and service. This means that usable results are available after a good four weeks without the departments being overloaded.

Typical errors that are immediately noticeable during supervisory audits

Four patterns regularly appear in audits by state data protection authorities. Firstly, missing or generalized deletion deadlines. A VVT that says “according to statutory retention requirements” everywhere is useless because the supervisory authority checks whether the specific deadline corresponds to the data category. Secondly, unclear order processing relationships. If a cloud provider is named as a recipient in the VVT, but there is no order processing contract in accordance with Art. 28 GDPR, this is a separate violation. Thirdly, missing third country information. As soon as a hyperscaler is deployed that processes data in the USA, the guarantee instrument, provider and scope must be documented. There is also often no information about which specific standard contractual clause modules are used and whether a transfer impact assessment was created.

Fourth, outdated statuses. A VVT that has not been updated since 2019 signals to regulators that accountability is not being taken seriously. The solution is a fixed review cycle, usually annually, as well as an event-related update path for new tools, processes or service providers. In the CIVAC platform, these updates are sent to management via the data protection officer's reporting channel. Others run compliance like a filing cabinet. We run it like software. Every entry is versioned, every change is documented, every release is traceable. The auditor calls, the evidence is ready. Anyone who keeps the VVT ​​as a living document has a decisive advantage in the event of an audit compared to companies that only polish their lists once a year for audit preparation. Another pattern that regularly arises in fine proceedings is the lack of integration with the deletion concept. Anyone who specifies deletion periods in the VVT ​​but cannot prove operational deletion will fail to be accountable in the same way as a company without a directory.

VVT for processors according to Art. 30 Para. 2 GDPR

Processors are subject to their own documentation requirements. You must maintain a record of all categories of activities carried out on behalf of a controller. Mandatory information is the name and contact details of the processor, the representative, the data protection officer and the client, the categories of processing, if applicable, transfers to third countries with a guarantee instrument and a general description of the technical and organisational measures. The requirements are formally lower than for those responsible, but in practice they are just as demanding because customer audits require a detailed picture.

In practice, a two-stage structure is recommended. Level one is the internal directory, which contains all clients, contracts and processing categories. Level two is an extract generated per client, which can be quickly issued in the event of audits, customer inquiries or regulatory reviews. Anyone who is a processor should also ensure that each subservice chain is clearly mapped in accordance with Article 28 (4) GDPR. If a subservice provider is missing from the directory, this will be noticed at the latest during the first customer audit and regularly triggers contractual penalties or terminations. The CIVAC platform supports processors with a separate template in accordance with Art. 30 Para. 2 GDPR, which is directly linked to the subservice provider register and the approval logic in accordance with Art. 28 Para. 2 GDPR. This means that the contract landscape is not only documented, but can also be operationally controlled. Anyone who relies on an Excel table here risks a key finding in the next ISO/IEC 27001:2022 ISMS exam or in a TISAX assessment. The situation is particularly critical for IT service providers who work for customers from regulated industries such as banks, insurance or energy. These customers pass on their own requirements from DORA, VAIT or BAIT, and the processor must prove that their own documentation reflects these requirements.

Link to data protection impact assessment and TOM

The VVT ​​should not be viewed in isolation. It forms the input basis for the threshold test according to Art. 35 GDPR, which decides whether a data protection impact assessment is necessary. Processing such as systematic assessment, extensive processing of special categories or systematic monitoring of publicly accessible areas trigger the DPIA obligation. The DSK publishes a positive list that serves as guidance. Without a complete VVT, the threshold check cannot be carried out reliably, and without a documented threshold check, the accountability requirement according to Art. 5 Para. 2 GDPR is not fulfilled. Supervisory authorities are increasingly checking specifically whether the DPIA threshold check is documented as an independent step and is not lost in a collective statement.

The connection with the technical and organisational measures in accordance with Art. 32 GDPR is just as close. Anyone who operates an ISMS according to ISO/IEC 27001:2022 can link the 93 controls directly to the TOM fields in the VVT. This creates a continuous chain of evidence from the processing activity through the risk assessment to the specific set of protective measures. CIVAC maps this chain in the workspace so that a change in a TOM, such as the introduction of a new encryption solution, automatically marks all affected VVT entries for review. This is the difference between a static list and a living compliance architecture. The clock starts on awareness. In sectors with particularly sensitive data, such as healthcare, education or recruitment, there should also be a link to the list of special categories in accordance with Article 9 GDPR so that protective measures and authorisation concepts can be precisely assigned. The platform supports this categorization via tags, which are included in evaluations and reports. At the push of a button, lists of all processing involving health data, with reference to third countries or with particularly vulnerable groups of those affected can be generated, which significantly speeds up both internal reviews and external audits.

VVT as the basis for data breach reports according to Art. 33 GDPR

In the event of a data breach, the deadline is 72 hours from the date of knowledge. During this time, the supervisory authority must be informed in accordance with Art. 33 GDPR. The notification requires a description of the nature of the breach, the categories of data affected, the likely consequences and the measures taken. Anyone who begins to identify the affected processing in this stressful situation will lose valuable hours. Management is often faced with the question of whether a report is even necessary, and without a clean database from the directory, this decision can hardly be made sustainably.

A well-managed VVT makes it possible to reconstruct within minutes which data categories are affected, which recipients were involved, which TOM should have been used and which affected parties need to be informed. The CIVAC platform connects the VVT ​​with the 24/72 reporting path, as known from NIS-2, and creates a reporting draft for supervision from the stored processing data. The appointment certificate, signed, filed, verifiable, this also applies to the data protection officer who controls the reporting process. close cooperation with the information security officer ensures that technical findings and data protection reports do not pass each other by. Anyone who manages data protection and information security separately risks contradicting statements to the supervisory authority and thus follow-up questions that prolong the process. It makes sense to define a single reporting centre that consolidates both paths. In the workspace, this logic is stored as an escalation tree, which identifies the responsible people with deputies and escalation times, thus preventing a report from being left behind on a weekend or while on vacation. In addition, exercises can be planned in which a fictitious incident is played out so that the reporting chain is tested under real conditions and management knows which decisions have to be made within the first few hours.

Maintenance during ongoing operations: versioning, releases, audits

A VVT is only resilient if it runs along with day-to-day business. Responsibility lies with the department that carries out the processing, the technical review with the data protection officer, and the final approval lies with the management as the person responsible within the meaning of the GDPR. A three-stage workflow has proven successful: Department reports changes, DSB checks and comments, management approves. Each stage must be documented with a time stamp and person responsible. This creates a complete history that serves as proof of accountability in every supervisory audit. The supervisory authority regularly recognises a clean workflow when releases are consistently documented in chronological order and adjustments to tools or processes are reflected in the directory promptly, i.e. within a few weeks.

An internal audit of the entire VVT ​​should be carried out at least annually. Samples are taken, the timeliness of the deletion periods is checked, the consistency is compared with the processor register and the TOM descriptions are compared with the ISMS status. Audit-proof, documented, Section 30-proof. In the CIVAC workspace, this audit cycle runs as a template, which includes 490 ready-to-use audit templates and provides the VVT ​​with its own checklist with 24 check points. Licence the workspace for your internal representatives or have our representatives order it. Both models lead to the same proof. The difference is whether care is provided by internal resources or by CIVAC representatives with an SLA of two business days. It is also recommended to conduct a quarterly review with the department heads, in which only the new processes created in the last three months are discussed. This means there is no wave of audits once a year, but rather a consistent rhythm that distributes the effort.

Turn reading into a mandate.: VVT construction with CIVAC

Building a processing directory is not a one-time action, but rather the establishment of a permanent control instrument. Anyone starting today should not be guided by an Excel template from the Internet, but rather by an architecture that brings together VVT, DPIA, TOM, order processing contracts and data breach reporting path. CIVAC provides this architecture as a compliance platform and officer-as-a-service. The platform includes 25 agent roles, all live, with a PO logic, a reporting line to senior management and an EU data residency relevant to regulated industries. The templates are designed in such a way that they are suitable for medium-sized companies with 50 employees as well as for corporations with several thousand.

You can get started in two working days instead of the classic two to six weeks. The Role overview shows which officers can be appointed in parallel, such as the data protection officer, the information security officer and the compliance officer. Licence the workspace for your internal representatives or have our representatives order it. Anyone who would like to check whether their own VVT meets current regulatory requirements can request a VVT diagnosis. The inventory is checked against the twelve mandatory fields and the four additional accountability fields, gaps are identified, and a restructuring path with an effort estimate is presented. Turn reading into a mandate.: info@civac.de or via the contact form on civac.de. Feedback will be provided within two working days, including a draft appointment certificate if there is a need for an external data protection officer. If requested, CIVAC can also provide support with the introduction of the workspace with a moderated workshop in which the first three departments set up and release their directories together with the data protection officer. This shifts the effort from management to the methodological framework of the platform, and after the workshop is completed, the directory is not only documented, but also operationally understood.

FAQ

At what size company is a processing directory required under Art. 30 GDPR?

The 250-employee threshold in Article 30 (5) GDPR is an exception to the rule. It only applies if the processing is not risky, does not occur regularly and no special categories according to Art. 9 or Art. 10 GDPR are affected. In practice this means: Anyone who processes personnel data, customer data or application documents is obliged to do so, regardless of the number of employees. Small businesses should therefore also have a VVT.

Which mandatory fields must the directory contain at least according to Art. 30 Paragraph 1 GDPR?

At least eight mandatory fields are mentioned in Art. 30 Para. 1 GDPR: contact details of the controller and the DPO, purposes of processing, categories of data subjects and data, recipients, third country transfers with a guarantee instrument, deletion periods and a description of the TOM according to Art. 32 GDPR. In practice, there are four additional fields for accountability: legal basis, DPIA reference, person responsible and date of last review.

Do processors need their own processing directory?

Yes, Article 30 Para. 2 GDPR obliges processors to keep an independent register of all processing activities carried out on behalf of the contract. Mandatory information includes contact details, processing categories, third country transfers and general TOM. A two-stage structure with an internal full directory and customer-related extracts that can be issued directly during audits is recommended.

How often does the processing directory need to be updated?

The GDPR does not prescribe a fixed frequency. The standard practice is an annual full audit and an event-related update in the event of new processing, new service providers, new locations or legal changes. Supervisory authorities regularly assess a directory that has not been updated for more than twelve months as an indication of inadequate accountability practices in accordance with Article 5 (2) GDPR.

What format is allowed for the VVT?

Art. 30 Para. 3 GDPR requires written form, expressly also in electronic format. Excel tables are formally permitted, but fail in practice due to versioning, rights management and audit suitability. A dedicated compliance platform that maps version statuses, releases and links to DPIA and order processing contracts is recommended.

What happens if the processing directory is missing or incomplete?

If the VVT ​​is missing or incomplete, the supervisory authority can impose fines of up to 10 million euros or two percent of global annual turnover in accordance with Article 83 (4) (a) GDPR. An inadequate list often leads to in-depth examinations of further obligations because the supervision assumes that accountability practices are fundamentally inadequate.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles