In the first blog article of our series on the revised Swiss Data Protection Act (DSG), we presented the most important new features and changes introduced by the revised Data Protection Act. In part two, we will now take a closer look at the register of processing activities which is now also mandatory. What does a DPA-compliant directory consist of? How do you go about it? All this is explained here.
Let's say you want to order five litres of the finest olive oil from your favourite shopkeeper. When you ask him, he replies that he doesn't know how much of it he has in stock and when the next delivery will be. Unimaginable, isn't it? But this could well be the case if the shopkeeper does not have an up-to-date inventory. This is what happens to many companies in terms of data protection if there is no inventory for data processing.
As was already described in the first part, the aim of the new law is not just to significantly enhance data subject’ rights. When a risk-based approach is adopted, the privacy risks inherent in data collection are already taken into account at the data processing stage. In concrete terms, data protection requirements are planned right from the start of the processing cycle and implemented with the appropriate measures. The revised Data Protection Act (Art. 12, Para. 1) clearly states that the controller and the processor each have to keep a register of their processing activities, in other words an inventory of data processing.
Alongside the strengthening of data subjects’ rights, there are also increased requirements for transparency in data processing. The directory of processing activities is the form of documentation par excellence – or rather the central instrument – which emphasises its importance in a managed data protection management system. The directory is also an important tool for assisting company data protection officers in performing their tasks, such as ensuring their supervisory function in the company or in the event of data protection breaches. And don’t forget: The directory also makes it easier to deal with authorities such as the EDÖB (Federal Data Protection and Information Commissioner), to be able to prove compliance with data protection obligations.
SMEs may now be asking themselves whether they also have to create a directory. The answer is, not necessarily. Companies employing fewer than 250 people where their data processing entails a low risk of personal injury to data subjects are exempt. The exact requirements are expected to be set out in the Ordinance to the revised Data Protection Act.
To understand exactly what needs to be included in an inventory or directory, first of all, we need to take a closer look at the term “processing”. The revised DSG (Art. 5, let. d) defines it in the following way: “Any treatment of personal data, regardless of the means and procedures used, in particular the obtaining, storing, keeping, using, modifying, disclosing, archiving, deleting or destruction of data.”
So even though a processing operation may consist of a variety of files and data processing programmes, the purpose of the data processing is crucial in determining the exact processing activity. To find this out, it is worth starting from the business processes and then breaking them down into systems and applications. This gives a view of the purpose of the collection, the data processing and in which systems which categories of personal data are processed.
In principle, it is up to each person to decide on the form or application in which the directory is to be kept; the legislator is more specific solely about the content.
According to the revised DSG (Art 12), the directory must contain the following information from the responsible person as a minimum:
For the person processing the order, they must also ensure that the following information is provided:
An obligation to report the directories to the EDÖB (Swiss Federal Data Protection and Information Commissioner) only applies to federal bodies.
The processing directory is the inventory of all data processing which can be used to check the legality of the data processing. It shows the processes, procedures and applications that are used to process personal data, and indicates which person is responsible for the processing (owner). It also shows the type and scope of the personal data processed and its recipients – both in Switzerland and abroad. The processing activities directory may also indicate the need for an assessment of the data protection impact if significant risks to the rights and freedoms of the data subjects become evident in relation to the nature, scope, circumstances and purpose of the processing. The technical and organisational measures taken should also be part of the inventory, so ultimately this is also the source for assessing whether the measures taken to reduce the risk are adequate.
The diagram below shows how the individual data protection processes interact with respect to the directory of processing activities:
In our experience, the first step is to identify the business processes and the systems, applications and responsible persons involved. An inventory of the applications and processes that process personal data and the way they are connected to the processing purposes simply shows what data is processed at which location and for what purpose.
By categorising the type and scope of the data and identifying the groups of persons affected, this also reveals the risk situation in terms of the rights of the persons involved. At this point, a decision is also made on the need for a data protection impact assessment, from which the appropriate measures are then determined.
The final step is to specify the recipients of the data. The following questions are useful for this: Is the data going to be transferred abroad? If so, where to? How will this data be transferred? Is there an adequate level of data protection in the destination country?
The diagram below shows the potential procedure for creating a directory:
Data protection in general, and consequently also maintaining a directory, is an iterative, repetitive process. This is why it must ultimately be ensured that a process of this kind is implemented to regularly update the directory, for example in the event of new data processing or modifications.
Unlike the olive oil seller, you as the data controller have an overview of what personal data is being processed at which point, for what purpose and in what form by means of an up-to-date directory of processing activities. Therefore, the detailed, up-to-date documentation of data processing activities and their processes remains an important task, and it forms the basis of the lawful processing of personal data pursuant to the revised Data Protection Act.
What is your inventory looking like? Are you ready for the revised data protection law or, like many businesses, are you overwhelmed by all the requirements? Regardless of how far along you are, our data protection experts are here to help you with all the issues. If you want to get started yourself, as a starting point you can download our free guideline on the GDPR processing directory (in German) – including a template to put your new knowledge into practice straight away.
In the third part dealing with the subject of the processing directory, I will explain to you what processes there are on the subject of the processing directory, why they are relevant and how to successfully implement them. The best thing is to subscribe to our newsletter and never miss out on anything ever again!