Blog

Records of processing activities

The records of processing activities is a new obligation that is part of the GDPR, which takes effect on May 25 2018.

It is recommended to start the records of processing activities today. It will give you an immediate insight in the information you need to comply with all other obligations that result from the GDPR, such as drawing up processing agreements.  This register is a document, for example in Excel. The register must be drawn up by the controller and the processor. This register is continuously updated and has to contain information about the processing, such as contact details of the controllers and processors, the different purposes of the processes and the personal data categories.

This obligation applies to certain groups of controllers and processors of personal data. When you meet at least one of the following conditions, the records of processing activities is mandatory:

  • When your organisation employs more than 250 persons;
  • When your organisation performs processes with high risks for the rights and freedoms of the data subjects, even if there are fewer than 250 persons employed;
  • The processing activity is not incidental;
  • The processing activity concerns special data categories, for instance a health care provider that processes medical data;

The processing activity concerns criminal facts, for instance law offices that specialize in criminal law.

Who is the controller?

The controller determines the purpose and means for the processing activity, for instance when your business processes employees’ personal data. A salary slip is an example. The business is responsible for these data, and thus the controller.

Who is the processor?

The processor processes the personal data for the data controller. For example the payroll administration office that pays all salaries for your business. The processor also needs to keep a register of processing activities. This register differs from the controller’s register; it is not as extensive.

A register of processing activities has to be set up on paper and in electronic form. The contents of the register are different for the controller and the processor.

 

The records of processing activities has to contain

For the controller: For the processor:
  • The purposes of the processing activities
  • A description of the categories of the data subjects and the personal data
  • If applicable, transfers of personal data to a country outside the European Economic Area and the documents to show suitable measures have been taken to protect the transferred personal data
  • If possible, the planned time limits within which the various data categories have to be deleted
  • If possible, a general description of the technical and organisational security measures
  • The name and contact details of
    • The controller
    • The representative of the controller (only when applicable)
    • The Data Protection Officer (only when applicable)
  • The processing activity categories that have been determined by and carried out for each of the controllers
  • If applicable, transfers of personal data to a country outside the European Economic Area and the documents to show suitable measures have been taken to protect the transferred personal data
  • If possible, a general description of the technical and organisational security measures
  • The name and contact details of
    • The processor and each controller for whom the processor works
    • The representative of the controller or processor (only when applicable)
    • The Data Protection Officer (only when applicable)

Do make a start with setting up the records of processing activities. The purposes of the processing activities and the types of personal data you process, will help you decide whether you’ve taken the right amount of suitable measures. When you process medical data, for example, and the data subjects are categorized as healthcare recipients, the choice of processor is very important. It is advisable and sometimes even mandatory to work with an NEN 7510-certified processor. You would moreover prefer a processor that uses a higher security level than would be necessary if the processing activity only concerned e-mail addresses.

Tips:

  • Do not set up a records of processing activities per client, but create one register that contains all information on all clients. Keep it short!
  • Don’t make it too complicated. This register can be done in Excel and does not have to be a special tool. Keep it simple!

Do you have any questions about a records of processing activities? Or about the GDPR? Please contact us.