The privacy regulation (Regulation (EU) 2016/679) will be soon directly applicable on the entire European territory. Companies, public administrations and private citizens are in the final rush to comply with the dispositions of the new legislation.
In order to make it easier to understand a complex and articulated text such as the GDPR, we propose hereinafter a collection of simple factsheets, structured with a Q&A formula, that starting from known privacy concepts, give a first and brief guidance to the reading of the new legislation.
What is the record of processing activities?
This is a new obligation introduced by the GDPR which requires a full documentation of all processing operations carried out under the authority of the controller and the processor.
Whose obligation is it to keep records?
Novel in the GDPR is that the controller and the processor are both independently responsible for drafting and keeping records. The controller’s record and the processor’s will be two distinct documents, each one with specific content.
Compiling the record could be delegated to the Data Protection Officer (DPO), however, without in this way transferring responsibility for compliance with this obligation from the controller and the processor. The controller and processor could also ask for assistance from department managers in their organisations, who would probably be more familiar with the processing activities carried out in their departments and could more easily provide specific, detailed information about such processing.
Are there any waivers or exceptions in the GDPR?
The new Regulation provides that the duty of maintaining a record of processing activities does not apply to enterprises or organisations employing fewer than 250 persons. However, in order for this exemption to be valid, the processing carried out must not be likely to result in a risk to the rights and freedoms of data subjects, it must be occasional and it must not include special categories of data (e.g. health data, biometric data) or personal data relating to criminal convictions and offences.
What information should be contained in the record?
The minimum content of information changes depending on whether the document concerns the controller’s processing activities or those of the processor.
In the first case, the controller shall indicate: a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer; b) the purposes of the processing; c) a description of the categories of data subjects and of the categories of personal data; d) the categories of recipients to whom the personal data have been or will be disclosed e) where applicable, the identification of the third country or the international organisation to which data are transferred, including the documentation of suitable safeguards; f) where possible, the envisaged time limits for erasure of the different categories of data; g) where possible, a general description of the technical and organisational security measures.
In the second case, the processor shall specify only: a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer; b) the categories of processing carried out on behalf of each controller; c) where applicable, the identification of the third country or the international organisation to which data are transferred, including the documentation of suitable safeguards; d) where possible, a general description of the technical and organisational security measures.
Can the record be drafted and kept in electronic form?
The GDPR provides that the records of processing activities must be in writing including in electronic form. Therefore, it will also be possible to draft and keep records directly on IT equipment, for example by creating an Excel file.
Are there other obligations which go with the record?
It is not sufficient to simply draft the processing record in order to be fully compliant with the GDPR. It should be periodically revised and updated, in particular specifying new processing activities and/or removing those which have been terminated, namely the record must be kept up-to-date to reflect an organisation’s present processing activities.
In addition, the controller and the processor (where applicable, their representative) are under the obligation to make the record available to the supervisory authority on request.