From 25 May 2018, organisations processing personal data within the EU must maintain records of processing activities pursuant to the General Data Protection Regulation (“GDPR”).
Organisations employing fewer than 250 people are exempted from maintaining such records, unless the processing they carry out:
- is likely to result in a risk to the rights and freedoms of data subjects (e.g. automated decision-making);
- is not occasional; or
- includes sensitive data (e.g. health data or data revealing ethnic or racial origin).
The Privacy Commission’s recommendation provides valuable insights into the scope of the exemption from maintaining records of processing activities. The guidance states that “not occasional processing” should include processing activities related to client management, employee (human resources) management or supplier management. Our take is that very few organisations will benefit from the exemption from maintaining records. This is reinforced by the Privacy Commission’s recommendation that all organisations processing personal data maintain records of processing activities, even if they employ fewer than 250 people.
Interestingly, the Privacy Commission sheds some light on the information that records of processing activities must contain. In substance, such records should provide information on who processes personal data, what data is processed and why, where, how and for how long data is processed.
Records must contain the name and contact details of the processing organisation, its representative and, where applicable, its data protection officer.
Records must identify:
- the categories of data subjects (e.g. employees, clients, suppliers, external services providers, children, etc.); and
- the categories of personal data (e.g. identification data (including national security number), financial data, consumption habits, data concerning education and profession, data revealing political opinions, image and sound recordings, etc.).
In addition, the Privacy Commission recommends that organisations identify in their records which data qualifies as sensitive data.
Records must contain a description of the purposes of each processing activity, e.g. management of employees and intermediaries, monitoring of the workplace, client management, etc. The description of the purposes should be sector-specific (e.g. account management for banks, donors’ registrations for hospitals, students’ administration for schools, etc.). The Privacy Commission further recommends that each of the processing purposes be described in both a general and detailed manner.
Records must identify the categories of recipients to whom the personal data has been disclosed. Recipients (which may be third parties or persons within the organisation) may be, for example, personal acquaintances of the data subject, employers, other services or affiliates of the organisation, police and justice representatives, personal data brokers for direct marketing, etc. Records must also contain information on transfers of personal data to a country located outside the European Economic Area, including the identification of that country. Finally, records must contain documentation setting out suitable safeguards in the rare cases where a transfer is necessary for the purposes of the compelling legitimate interests of the organisation, all other safeguards or that derogations from the transfer are non-existent or non-applicable and the competent supervisory authority has been informed of the transfer.
Records of processing activities must contain a general description of the technical and organisational measures required to ensure a level of security appropriate to the risks. Those measures may include, for example, encryption of data, systematic data back-ups or regular testing of the effectiveness of the security measures.
Records must contain the envisaged time limits for erasure of the different categories of personal data. Interestingly, the Privacy Commission acknowledges that a quantitative reference to days, months or years might be difficult to provide in practice. It therefore allows organisations to use parameters instead, such as the time that would be needed to manage disputes or the expiration of a limitation period.
Data processors, i.e. organisations processing personal data on behalf of other organisations, are exempted from providing information on the purposes of processing, the categories of personal data, data subjects and recipients, and the envisaged time limits for erasure. Data processors must, however, identify in their records each of the organisations on whose behalf they are processing personal data. When organisations are acting as both controllers and processors of personal data, the Privacy Commission recommends that the records of processing activities be divided into two parts or that each identified processing purpose states whether the processing is made as a data controller or a data processor.
The Privacy Commission does not mandate the record of processing activities to be drafted in one of the three Belgian official languages (Dutch, French or German). This is good news for Belgium-based multinationals, as they would be allowed to use records prepared in English, for example. The Privacy Commission expands the role of data protection officers, who should be involved in maintaining records for processing activities, although such a task is not part of their functions attributed under the GDPR.
Unfortunately, the Privacy Commission did not go as far as issuing a template record of processing activities to be used as a starting point by Belgium-based organisations. Instead, it encourages sectorial institutions to provide such a flexible and modular template to meet the needs of the organisations that they represent. This approach contrasts with that of the Commission Nationale de l'Informatique et des Libertés (the French data protection agency) which recently issued a sector-agnostic template record of processing activities. The Datenschutzkonferenz (an EU body consisting of Europe’s national data protection authorities) also announced that it will provide organisations with a template record of processing activities by the end of this year.
Data privacy professionals should welcome those local initiatives. However, the absence of an EU-wide recommendation may result in multinational organisations being obliged to prepare records of processing activities that are country-specific as to their format or content. To prevent such fragmentation, the Working Party 29 (the association of EU data protection authorities) may be well inspired to provide a common set of guidelines about records of processing activities.