A VVT is the collection in which all definable processes in the company that have to do with the processing of personal data are described. Here are a few examples of these processes:
For each process, it must be documented, among other things, which personal data is processed, by whom this data is processed, which third parties are involved in the process, etc. What exactly is required is described in the Article 30 in the GDPR described.
First of all, in theory not every company has to keep a VVT, but in practice these exceptions are very limited and it is advisable to keep a VVT regardless of possible exceptions due to the advantages of the register.
What are these advantages?
From a legal perspective, of course, the avoidance of penalties. In the event of an inspection by the data protection authority, you must present a VVT. If you are unable to do so, you may face the severe penalties mentioned above.
From a practical perspective, you create the basis for all other data protection obligations with a VVT. If you need an order processing agreement or a data protection policy, for example, you will already find all the necessary data in the VVT.
The creation of a VVT usually works best if you use a clear structure, such as the one offered by Metasoul, as this is the best way to maintain an overview. In the following instructions, we also refer to the Metasoul VVT structure, as this has proven to work well in practice. In order not to go beyond the scope of this blog post, you will find a reference to a „detailed blog“ for each topic, which will help you to master the individual steps without any problems.
Step 1: Define processing activities
To get started, the processes in which personal data is processed need to be defined. In our blog post on defining processing activities, we explain how you can best proceed here and avoid common mistakes.
Step 2: Define your responsibilities
Now indicate whether you are the controller or a processor in the process. If you're not sure here, read our blog post on defining responsibilities.
Step 3: Recording external service providers, customers or co-responsible parties involved
Depending on whether you are the controller or processor, you now document which customers you receive data from and who your sub-processors are (you are the processor), or which service providers you pass on data to (you are the controller). If you are one of several joint controllers, the other joint controllers must be specified. The topic of „joint controllers“ is also explained in the blog post on defining responsibilities.
Step 4: Documenting the categories of personal data
The next step is to record which data you process from the data subjects. It is usually sufficient to specify the „category of personal data“, for example „contact data“ or „payment data“. As it is not always clear what a category is, you can simply enter the data types such as „First name“, „Surname“, „Date of birth“, etc. in Metasoul and it will suggest categories for you to choose from.
Step 5: Purpose of processing, legal basis and data subjects
For each category of data defined in step 4, you now specify the purposes for which you process data in the process, which groups of people are affected by the processing and which processors or sub-processors are involved. If you are the controller, you will also be asked for a legal basis. If you have several purposes with different legal bases for a data category, you should create the data collected once for each legal basis in the previous step. It sounds complicated, but you can find detailed instructions on how to define the purpose, legal basis and data subjects in our blog.
Step 6: Data transfer to third countries and international organisations
From a GDPR perspective, there are safe and unsafe countries for personal data. Especially when working with cloud services, it is easy for data to leave your own country. In this step, the countries to which data is transferred and the legal basis for this transfer are recorded. Metasoul offers a guided process to guide you through this step. We also cover this step in our blog post on the transfer of data to third countries.
Step 7: Storage location of the data
In this step, you record where you store this data and in which country this storage location is located for each data category defined in step 5. Although this step is not explicitly required for the VVT, it makes sense from the point of view of the deletion concept to record this information at the same time.
Step 8: Deletion deadlines
The GDPR requires that personal data is only stored for as long as it is required from a business or legal perspective. This simple requirement is usually more complicated than it sounds. A number of questions need to be answered in order to create a concept for erasure: Which categories of data are required and for how long (deletion period)? When does the deletion period begin? What is the justification for the selected deletion period? You only need to fill in the erasure periods if you are the controller. You can find detailed instructions on how best to answer these questions in our blog on creating a deletion concept.
Step 9: Technical and organisational measures
Finally, it should be determined how personal data is protected within the company. This is mapped in „Technical and Organisational Measures“, or TOMs for short. Metasoul records the TOMs outside the VVT. You can find out what TOMs are and how to identify and implement the right TOMs in our blog post on TOMs.
If you have completed the record of processing activities, you have already come further than many others before you - congratulations! You may now be asking yourself what the point of this documentation is - after all, you've put a lot of work into it and don't see any practical benefits for your day-to-day work. We can reassure you here: Drawing up good data protection guidelines and order processing agreements will be a piece of cake. This creates trust with customers and conveys professionalism. At the same time, you have laid the foundation for being able to sleep soundly when it comes to issues such as GDPR penalties or personal liability.
The record of processing activities takes a lot of time and energy to create. In return, it provides a detailed insight into the processing activities in the company, brings you a step closer to the duty of care and thus the avoidance of penalties, and provides the basis for high-quality data protection guidelines and order processing agreements. What's more, creating a DPA is quick and easy with Metasoul.
Further contributions
Defining the purpose and legal basis of data processing
If you collect and process personal data, there should be a purpose and a legal basis for doing so. Determining the legal basis in particular is not an easy task for most people. In this article, we explain how to define the right purpose and the right legal basis as part of the record of processing activities.
Controller or processor? The difference explained simply!
Controller and processor are two terms that raise a question mark for many people. In the following blog post, we briefly explain what the difference is and explain how you can easily determine which of the two roles you take on in which situation.
Defining processing activities in the VVT simply explained
When you start to create the record of processing activities (RPA), the question of „how“ arises for most people from the very first task, the definition of processing activities. In this article, we explain in simple terms what a processing activity is and how you can find out which processing activities exist in your organisation.
Start now mastering your data privacy compliance with Metasoul in a simple and understandable way.
made in Austria 🇦🇹
GDPR compliant ✅
EU AI Act compliant 🇪🇺
NIS2 compliant 🌐
Secure by design 🔒
