The Belgian Commission for the Protection of Privacy (“Privacy Commission”) has recently published guidance on Article 30 of the GDPR which contains the obligation for data controllers and processors to record their processing activities.
This record will have to be up-to-date by 25 May 2018 and readily made available to the regulator should it ask to view it.
In its guidance the Privacy Commission goes into a large amount of detail regarding what information the record should contain, namely:
- The name and contact details of the data controller (and joint controller), its representative and its data protection officer.
- The purpose of each processing activity. The Privacy Commission explains that any general description (e.g. HR administration) will have to be completed by more specific descriptions. The Privacy Commission recommends the use of the existing list of purposes contained in the explanatory note of the current notification form as an example.
- The categories of data processed (e.g. identification data (including national security number), financial data, employment data, recordings of images and sound, etc.). The Privacy Commission recommends that sensitive personal data is identified as such in the record.
- The type of data subjects concerned by the processing activities (e.g. employees, clients, suppliers).
- Categories of recipients to whom the personal data is being disclosed, including whether they are located inside or outside the EEA and whether they are internal or external to the processing organisation (tax authorities, business partners, social security, police, etc.). The Privacy Commission specifies for data sent outside of the EEA that the country to which data is routed needs to be named in the record, the competent authority needs to be warned of the transfer, and appropriate safeguards need to be put in place to protect the data (with a contract for example, a copy of which should be inserted in the record). Data can only be transferred outside the EEA for a compelling, legitimate interest of the organisation.
- How long data will be kept before erasure. The Privacy Commission acknowledges that recording an estimate of days, months or years may not be appropriate; instead, recording parameters such as time needed to manage disputes or the expiration of a limitation period may be best-suited.
- The technical and organisational measures taken to ensure a level of security appropriate to the risk.
The Privacy Commission also explains that only information relevant to the processing activities must be recorded by data processors.
The GDPR contains an exemption to the recording obligation for organisations employing fewer than 250 people (SMEs) unless the processing carried out:
- is likely to result in a risk to the rights and freedoms of data subjects;
- is not occasional (examples of non-occasional processing activities given by the Privacy Commission are those relating to client management, employee management and supplier management); and
- includes sensitive data.
The Privacy Commission recommends that all data controllers and processors maintain a record of processing activities (but only those relating to non-occasional processing for SMEs).
The Privacy Commission does not in its Guidance impose a specific format for the record. However, it has reserved the possibility to set a standard format which would form the basis of the record. This would be helpful for processing organisations and align with activities of other European regulators such as the French CNIL which recently issued a standard cross-sector template record. Ideally an EU-wide template should eventually be created by the Article 29 Working Party so that multinational processing organisations do not have to prepare country-specific records.
The Privacy Commission insists on the fact that the record must be a live document that should constantly be updated taking into account any new processing activity of the organisation. It should however be in writing and available in electronic format in any language with the possibility for the Privacy Commission to request a translation of the record in one of the Belgian official languages (i.e. Dutch, French or German) at the expense of the organization (if it is not originally in one of the official languages).
Finally the Privacy Commission explained that although the GDPR does not specify the period during which the information in a record should be retained when a specific processing activity ceases, it could be beneficial for accountability purposes to keep that information with a mention of the period during which the processing was carried out.