Processing Activities

What is a processing activity?

A processing activity is any type of handling of personal data, such as collecting, storing, organizing, using, sharing, changing, or deleting data. Each of these actions falls under the term “data processing” and must be documented in accordance with the GDPR. If IT applications (IT systems, software, or other digital tools) are used for the processing of personal data, these must also be recorded. This documentation is kept in the directory of processing activities.

VVZ – simply explained

A processing directory (VVZ) is an overview that documents all data processing processes of a company or organization. It contains important information such as the purposes of processing, the types of data processed, the persons concerned, and the recipients of the data. The directory must be maintained in accordance with Art. 30 GDPR.

Why should a VVZ be maintained?

Clarity and overview: It helps to present all data processing processes at the university in a structured manner so that you always know which data is being processed, how, and for what purpose.

Legal protection: The VVZ fulfills the principle of accountability and serves as proof of data protection-compliant processing of personal data.

Risk identification: Maintaining the VVZ allows potential risks to the rights and freedoms of natural persons to be quickly identified and appropriate protective measures to be taken.

Efficient administration: It facilitates the administration of all data protection issues, as all relevant information is bundled and easily accessible.

Who is responsible for managing the VVZ?

The data protection coordination team is responsible for maintaining the VVZ, while the area managers (heads of organizational units, institutes, and research projects) ensure that data processing is carried out correctly within their areas of responsibility. Together, they ensure that the VVZ is kept up to date.

Notification of a new processing activity or application

In order to keep the VVZ up to date, it is important to report new processing activities to the data protection coordination team before they are introduced. This notification ensures that all parties involved – both internal and external – are informed about which personal data is being processed, for what purpose, and on what legal basis.

Any changes to an existing processing activity or the termination of a processing activity must also be reported to the data protection coordination team without delay.

If there are plans to introduce a new application (IT system, software, or digital tool) and personal data is to be processed, this must be reported to the data protection coordination team. If personal data of university employees is to be processed, the application must be presented to the University of Innsbruck's data protection committee prior to its introduction, which will review its compliance with data protection regulations.

 

Here you will find the registration form: Meldung einer Verarbeitungstätigkeit

The data protection coordination team will be happy to help you with any questions or problems you may have.

Example 1: Verarbeitungstätigkeit in der Verwaltung

Example 2: Verarbeitungstätigkeit in der Forschung

Data Processing Agreement

Commissioned processing within the meaning of Art. 28 GDPR occurs when a natural or legal person, public authority, agency or other body (processor) processes personal data on behalf of and on the instructions of another controller (client).

The processor does not itself decide on the purpose and means of data processing, but carries out the processing exclusively in accordance with the documented instructions of the controller. Own use of the data for other purposes, in particular one's own purposes, is not permitted.

The processor is obliged to take appropriate technical and organizational measures (TOMs) within the meaning of Art. 32 GDPR to ensure the security of the processing. The controller, in turn, has a duty of care and control when selecting the processor: he must ensure that the processor offers sufficient guarantees for compliance with the GDPR.

A contract or other legal instrument must be concluded between the controller and the processor in accordance with Art. 28 (3) GDPR.

Commissioned processing according to Art 28 GDPR exists:

• Commissioning an external service provider to manage the IT infrastructure or store data

Templates:

• Processors Model Contract 1.0
• Data protection checklist for order processing
• Appendix TOMs