The Belgian Data Protection Authority recently published a template that can be used by organisations for meeting their Article 30 “Record of Processing Activities” obligation.
From 25 May 2018 onwards, the General Data Protection Regulation (“GDPR”) will require each data controller and data processor to keep a record of all processing activities under their responsibility. Article 30 of the GDPR lays out the information that data controllers and data processors should include in their record.
- They are expected to maintain extensive and up-to-date internal records of their data processing activities. The information required from data controllers is more extensive than that required from data processors.
- Such records should be kept on paper or in electronic form.
- The requirement does not apply where an organisation employs less than 250 people and the processing is not likely to result in a risk for the rights and freedoms of data subjects, is occasional, or does not include special categories of data. (Based on this, it is likely that organisations that it does not apply to will be in the minority.)
- Non-compliance with this obligation could give rise to fines of up to EUR 10,000,000 or up to 2 % of an organisation’s worldwide annual turnover
In Belgium, this obligation replaces the current notification obligation, which requires organisations to notify the Privacy Commission of their processing activities before carrying them out. The abolition of this obligation will mean that organisations will have fewer administrative hurdles before processing data. However, organisations should be aware that, under the new obligation of the GDPR, they may have to record certain processing activities which did not have to be notified under the current regime of notification.
In order to assist organisations, the Privacy Commission has published a template that organisations can use to record their processing activities.
- The template contains more information than required by the GDPR, but the Commission has indicated that this information is equally important under the GDPR.
- The template is not an official document and organisations are free to use any other record as long as its purpose is to provide a complete overview of the personal data processing performed. However, the template does provide organisations with an example of what the Privacy Commission is expecting to see in terms of record keeping and therefore helps shed some light on the issue of practical implementation of the GDPR at this point in time.
- As organisations will be obliged to make their records available to the Privacy Commission upon request, it is worthwhile reviewing the template which has been made available.