Description of Procedure
Description of Procedure
Forms for the description of procedures can be found here.
Pursuant to Article 30(1) of the European Data Protection Regulation (GDPR), the University of Oldenburg is required to keep a register of all (automated) processing activities of personal data under its responsibility and to keep it up to date. For this purpose, it is necessary that all organisational units of the University create a description of the processing activities taking place in their area and regularly check that it is up-to-date.
Among other things, this description must document which personal data are processed on what basis and how, and which technical and organisational measures are taken to ensure data protection and data security.
This description of the processing activities shall be made available to the for inclusion in the register of processing activities of the entire university and also serves as a basis for consultation/monitoring by the data protection officer as well as for a risk analysis that may be required within the framework of the so-called data protection impact assessment (Art. 35 GDPR).
The State Commissioner for Data Protection (Lower Saxony) provides a model for this description of the processing activities. General information on this can be found in the Notes of the State Commissioner for Data Protection. If you have any questions, please do not hesitate to contact the Data Protection Management Officer or the Data Protection Officer.
Note: "The controller" in the sense of the GDPR is always the University, represented by the Presidential Board. Therefore, internally we also speak of process owners or persons responsible for the data processing in your area. This refers to the persons who initiate or manage a data processing process - i.e. often heads of department, project managers or similar.