What is a data processing directory and who has to maintain one?
A data processing directory gives information on how (personal) data is processed in a company. This directory should create a good overview for companies of all processing steps in connection with personal data. Moreover, it is a useful tool for quickly responding to requests for information.
However, a data processing directory is not mandatory for all companies. If you have fewer than 250 employees and do not process especially sensitive personal data or are not involved with high-risk profiling, you do not have to maintain such a directory. For reasons of transparency and legal protection, we recommend maintaining one anyways.
The form of the data processing directory is not prescribed by law. You can create it as an Excel or Word document, for example. Use our free template to do so.
If the directory obligation is not complied with, you do not necessarily risk any immediate sanctions, but the FDPIC can order compliance with such obligations and file a report with the responsible law enforcement. In the case of legal proceedings due to a breach of the obligations to provide information, of disclosure, to cooperate or of due care, you could be fined up to CHF 250,000.
What should be included in a data processing directory?
The law stipulates that the data processing directory must include at least the following:
- The identity of the responsible person
- The purpose of processing
- The categories of data subjects and the processed personal data
- The categories of recipients of personal data
- If possible, the duration of storage of the personal data (or criteria used to determine the duration)
- If possible, information on the measures taken to ensure data security
- If personal data is disclosed abroad, the country and data protection guarantees
Always try to keep the directory up to date. This way you can ensure a good overview of all processes at all times. Moreover, it will help you if you need to quickly and comprehensively provide information.
Even if this directory is an internal document, the Federal Data Protection and Information Commissioner (FDPIC) may check it as part of an investigation. If you maintain the directory properly and keep it up to date, then it will be easy for you to prove that you complied with data protection regulations