Record of processing activities
One of the main novelties of the GDPR is the obligation for controllers and processors to create and keep an updated record of the processing activities and their data, as set out in Art. 30 of the GDPR:
For data controllers, this obligation is found in the first paragraph: “Each data controller and, where applicable, the controller’s representative shall maintain a record of processing activities under its responsibility”.
For processors, we must go to the second paragraph: “Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller”.
The article continues by indicating the minimum contents of the record of processing activities, also indicating that it can be created and maintained in electronic or manual format.
How to organise the record of processing activities?
The website of the AEPD explains basic aspects of this obligation, indicating the minimum data that the record of processing activities must contain:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer.
- the purposes of the processing.
- a description of the categories of data subjects and the categories of personal data.
- the categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country, including the identification of that third country or international organisation and, in the case of the transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.
- where possible, the envisaged time limits for erasure of the different categories of data.
- where possible, a general description of the technical and organisational security measures.
Where the record is of the controller, the name of the controller on behalf of which the processor is acting must be added to the above.
At a practical level, a good record of processing activities should be the basis for the remaining GDPR obligations, which include:
- A good consent collection system, if necessary.
- A correct data erasure system.
- The risk analysis, and when appropriate, the impact assessment.
For this, the record of processing activities must clearly define the purpose of each process, avoiding generic records such as “clients”, “workers” or “suppliers”.
A good record of processing activities clearly identifies which type of processing is carried out in each category or type of data and then, and only then, the record is complete; Some of the usual records of processing activities are:
- Customer Management.
- Billing and administration.
- Customer Support.
- After-sales service.
- Payroll management.
- Personnel selection.
- Personnel training.
- Labour control.
- Video surveillance.
As can be seen, despite the fact that the category of data subjects may be the same in these examples of records of processing activities (for example, labour control and personnel training that affect workers in both cases), aspects such as the following may differ in each case: lawful basis, data retention period, purpose, etc.
This work is very often conducted by GDPR regulatory compliance programmes or tools, although the company or its advisor should, in any case, ensure that the criteria set by the company that owns the programme is adapted to the situation of the controller or the processor.
These tools are very useful but, as always, they must be adapted to the needs of the person who must comply with the GDPR and not the other way around. Having a good record of processing activities is the basis for proper compliance with the GDPR.
If you need more information about this issue for your company, don’t hesitate to contact us!:
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.