Records of processing activities
The Record of processing activities
The Record of processing activities introduced by the GDPR shall describe the framework of processing carried out, giving details on many characteristics and obligations in respect of data processing operations. The Record of processing activities is a very useful means to support an analysis of the implications of any processing whether existing or planned. The Record facilitates the factual assessment of the risk of the processing activities performed by a controller or a processor on individuals’ rights, and the identification and implementation of appropriate security measures to safeguard personal data – both key components of the principle of accountability contained in the GDPR. It should be kept up to date.
The Record shall be in writing, including an electronic form. Both controllers and processors are obliged to draw up the Records of processing activities. The Record shall be made available to the supervisory authority on request.
The maintenance and updating of the Records of processing activities meet the principle of accountability which demands to take on responsibility for compliance of the GDPR in all its requirements.
Who should maintain the Records of processing activities
As already mentioned, both controllers and processors. In the case of processors, the Record of processing activities should be maintained for each controller, in accordance with the instructions received and the purposes of processing, the categories of data and the categories of data subjects concerned, on the basis of a contract and the appointment as a processor.
There are also derogations from the obligation to maintain the Records of processing activities. The obligation does not apply to controllers and processors with fewer than 250 employees provided that:
1. processing is unlikely to result in a risk to the rights and freedoms of the person
2. processing is occasional
3. no special categories of personal data and data relating to criminal convictions and offences are processed.
The three types of processing to which the derogation does not apply are alternative and the occurrence of any one of them alone triggers the obligation to maintain the Record of processing activities. Therefore, although endowed with fewer than 250 employees, controllers or processors who find themselves in the position of either carrying out processing likely to result in a risk (not just a high risk) to the rights of data subjects, or processing personal data on a non-occasional basis, or processing special categories of data or data relating to criminal convictions and offences are obliged to maintain the Record of processing activities. For example, a small company is likely to regularly process data relating to its employees. As a result, such processing cannot be considered occasional and must therefore be included in the Record of processing activities. Other processing activities which are in fact occasional, however, do not need to be included in the Record of processing activities, provided that they are unlikely to result in a risk to the rights and freedoms of data subjects and do not involve special categories of data or personal data relating to criminal convictions and offences.
Even though the maintenance of the Records of processing activities may be regarded as a new administrative requirement and burden, it is a good practice to maintain the Records also on a voluntary basis, so that controllers and processors can have a constant control on the processing activities carried out and adjust the procedures necessary to comply with the requirements of the GDPR. This practice is fostered by the supervisory authorities.
To facilitate the micro, small and medium-sized organisations, the Italian supervisory authority has made available on its website a simplified template, in Italian version (PDF and Excel).
The content of the Records of processing activities
The Record of processing activities shall contain:
1. the name and contact details of the controller, of the representative in the State (where applicable) and of the Data Protection Officer (if appointed)
2. the purposes of the processing
3. the categories of data and the categories of data subjects
4. the categories of the recipients to whom data have been or will be disclosed (including recipients in third countries or international organisations)
5. where applicable, transfers of personal data to third countries (with identification of the country) and the documentation of suitable safeguards for such transfers
6. the envisaged time limits for erasure of the different categories of data
7. a general description of the technical and organisational security measures.
Each processor shall maintain a Record of all the categories of processing activities carried out on the behalf of each controller, containing:
1. the name and contact details of the processor and, where applicable, sub-processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the Data Protection Officer (if appointed)
2. the categories of processing carried out on behalf of each controller
3. where applicable, transfers of personal data to third countries (with identification of the country) and the documentation of suitable safeguards for such transfers
4. a general description of the technical and organisational security measures.
In both cases, further information can be added to better describe the processing activities and to have useful means to control compliance with the requirements of the GDPR. For instance, it can be useful to add or refer to internal policies, procedures and other documents on the processing described (e.g.: legal basis for the processing, information to be provided ex arts. 13-14, GDPR, origin of data, record of data breaches, impact assessment carried out, if any).
To learn, read FAQs or contact me.
Leave a Reply