The EU General Data Protection Regulation is attracting an increasing amount of attention (and concern) as the clock ticks ever-closer to implementation in 2018.
Belgium’s Data Protection Authority (“Privacy Commission”) is among the first European data protection authorities to issue guidance on the record of processing activities under Article 30 of the EU General Data Protection Regulation (“GDPR”).
Published on June 14, 2017, the guidance instructs data controllers and data processors on setting up a record of their processing activities (“Record”). This Record must be established and readily available to supervisory authorities on request by May 25, 2018. The full text of the recommendation is available in French and Dutch on the website of the Privacy Commission.
Scope of application of the obligation.
The obligation to keep a Record applies to both data controllers and data processors as defined in article 4 (7) and (8) GDPR (and their representatives, if the controller or processor does not have an establishment on the territory of the European Union).
Companies and organisations employing fewer than 250 persons are nonetheless exempted from maintaining a Record, unless (i) the data processing undertaken is likely to result in a risk to the rights and freedoms of data subjects (as explained in recital 75 GDPR), (ii) the processing is not occasional, (it being noted that, according to the Privacy Commission, general customers, suppliers and HR management data processing activities are considered ‘not occasional’), (iii) the processing includes special categories of data (sensitive data), or (iv) the processing includes personal data relating to criminal convictions or offences, or related security measures.
Despite the above exemption, the Privacy Commission recommends that all data controllers and processors maintain a Record of their processing activities, even if this obligation is not applicable to them under the GDPR. With regard to small and medium enterprises (SMEs), the Privacy Commission, nonetheless, admits that it would be sufficient to maintain only a Record of the processing activities that are not occasional.
Purpose of the recordkeeping obligation.
1. According to the Privacy Commission, the Record is an essential tool to comply with the principle of accountability under the GDPR. It is paramount for organisations to identify and obtain a complete overview of their data processing activities, in order to comply with the GDPR.
2. The Record must be made available to the supervisory authority upon request. In this sense, the Record is a substantial source of information for the Privacy Commission in the framework of the controls it carries out.
3. The requirement to notify the supervisory authority of data processing activities is removed from the GDPR, which opts instead for the requirement to maintain an internal Record. If both obligations allow the organisation to identify and provide information on its processing activities, the Record is composed of internal documents, not meant to be disclosed to the public.
Previously filed notifications may, nonetheless, be useful to create the Record, as such notifications contain certain information that must appear in the Record. However, several differences exist between the previously required notifications and the Record. Indeed, the obligation to notify was only applicable to data controllers, and not to data processors. Moreover, certain processing activities that were exempted from the notification requirement (because they were considered low risk activities such as processing for mere personnel management or customer management) must now be included in the Record. Lastly, the Record must be kept up-to-date. In its Recommendation, the Privacy Commission also attached part of the guidelines that it had published to explain to organisations how to draft notifications, as they may be a useful in drafting the Record (although these guidelines do not fully match the GDPR Record requirement). The Privacy Commission also indicated that it will keep its public register accessible for one year following 25 May 2018 (to help organisations that would like to re-use some parts of their notifications).
Content of the Record: The Record must contain information on all processing activities carried out as of 25 May 2018, whether their establishment was recent or long-standing.
1. For each data processing activity undertaken by a data controller, the Record must contain:
a. the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer (DPO) (which name and contact details must also be notified to the supervisory authority),
b. an identification and description of the purposes of the processing activity,
c. a description of the categories of data subjects and personal data,
d. the categories of recipients, whether internal or external, who have or will have access to the data,
e. transfers of personal data to a third country or an international organisation and, where applicable, the documentation of suitable safeguards,
f. the envisaged time limits for erasure of the different categories of data, and
g. a general description of the technical and organisational security measures established.
2. For each data processing activity undertaken by a data processor, the Record must contain:
(i) the name and contact details of the data processor, of each data controller on behalf of which the processor is acting and, where applicable, of the processor’s representative and of the DPO, (ii) a description of the categories of processing activities carried out on behalf of each controller; (iii) transfers of personal data to a third country and, where applicable, the documentation of suitable safeguards, and (iv) a general description of the technical and organisational security measures established.
The Privacy Commission indicates that the Record may contain additional information, as they may be useful to help organisations identifying necessary measures to comply with the GDPR. Such additional information may include elements contained in past notifications to supervisory authorities, as well as mentions of the applicable legal basis for processing, whether a data protection impact assessment is required, and a list of any personal data breaches.
3. Preparation of the Record: The Privacy Commission recommends that the organisation involve the DPO and all members of the relevant operational departments capable of providing precise information on processing activities in the creation of the Record. Furthermore, the Record must be in writing and available in electronic form, in clear and accessible language. The Privacy Commission does not provide any “model format” to create the Record, although it encourages professional bodies to establish individual templates. This Record must also be constantly kept up-to-date and, although the GDPR does not mention anything about data retention time limits once the processing activity has ended, the Commission recommends that organisations keep the processed information for accountability purposes (in accordance with applicable statutes of limitation). Finally, there is no requirement regarding languages, although the supervisory authority may request a translation of the Record in local language at the expense of the organisation of the records that are kept, e.g., in English.
4. Recipients of the Record: The Record is primarily a tool to help companies comply with the GDPR and is not intended to be consulted by the general public. Such Record must nonetheless be made available to the supervisory authority upon request.
5. Sanctions: Violation of the obligation to keep a Record may lead to administrative fines up to EUR 10.000.000 or 2% of the total worldwide annual turnover of the company, whichever is higher.