What do companies have to include in the records of processing activities?
GDPR requires companies to keep an internal record, which contains the information of all personal data processing activities carried out by the company.
According to the General Data Protection Regulation (GDPR) Art.30, records of processing activities must include significant information about data processing, including:
- data categories,
- the group of data subjects,
- the purpose of the processing and
- the data recipients.
This must be made available to authorities upon request.
Which companies are obliged to keep records of processing activities?
Each company who meets at least one of the following conditions has to keep a record of data processing activities:
- Processing personal data periodically (not occasionally).
- Having more than 250 employees..
- Processing any amount of sensitive and private data (concerning health, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical belief, criminal records, etc.).
Also companies who carry out any of the following activities are obliged to keep the records:
- Evaluating work-related performance,
- Monitoring individuals behavior, location and/or movements,
- Providing insurance, investment, and financial services to private individuals,
- Providing a loyalty schema (e.g. customer card) in a retail business,
- Registering/collecting customer information,
- Compiling the marketing profile of customers,
- Providing rent services for recruitment or personnel,
- Collecting people data related to gambling,
- Collecting data related to children, the elderly, mentally ill persons,
- Matching and combining personal data originated from various sources (big data),
- Transmitting personal data outside the European Union (includes the cases the personal data is kept in servers located outside of EU).
How to store records of data processing activities?
It is important to know that all the records must be kept in an electronic form and be updated regularly.
If your company is obliged to appoint a Data Protection Officer (DPO), then the DPO is responsible for keeping the records of processing activities.
GOOD TO KNOW:
There are several templates available at GDPR Register, which help to identify what information should be recorded about the data processing activities and how should it be structured.
What exactly has to be documented?
If you are appointed as a Data Protection Officer (DPO) under the Article 37, you are obliged to document the following:
- Your company’s name and contact details.
- If applicable, the name and contact details of any joint DPO-s.
- The purposes of the processing – why you use personal data (customer management, employment, marketing, sales).
- The categories of individuals (e.g. employees, customers).
- The categories of personal data you process (e.g. contact details, health data).
- The categories of recipients of personal data (e.g. collaboration partners, third parties, tax department, university).
- If applicable, the name of any third countries or international organisations that you transfer personal data to.
- If applicable, the safeguards in place for exceptional transfers of personal data to third countries or international organisations.
- If possible, the retention schedules for the different categories of personal data.
- If possible, a general description of your technical and organisational security measures (e.g. encryption, employment training, access restrictions to contracts and other personal data).
Below you can see how to document your processing activities by using GDPR Register online platform.
More to read on this topic: The lawful basis for Data Processing under the GDPR
