The register of processing activities: a must for companies

What?

As a company you must register internally which personal data[1] (of customers, suppliers, employees, etc.) you process[2]. This legal obligation to keep the so-called 'register of processing activities' (Article 30 of the General Data Protection Regulation, hereinafter: AVG) does not apply only exceptionally.[3]

The 'register of processing activities' is a control tool for the Data Protection Authority as it provides an overview of all processing operations within the company.

The register is not public, but can be requested by the Data Protection Authority for inspection.

Form?

The GDPR only provides that the register must be kept in writing and also electronically.

A form often used in practice is a simple Excel file. In addition, all kinds of software tools and online platforms are now available.

Content?

It concerns a register of processing activities. The register therefore contains no actual personal data, but only a summary of the processing operations (or therefore a description of the use of the personal data).

For a company controller[4] the register must contain at least the following information:

  • the name and contact details of the responsible person(s) and the data protection officer within the company (if you have appointed one);
  • the processing purposes (e.g. for customer management, supplier management, personnel management, etc.);
  • the categories of data subjects (whose data is processed?) and personal data (for example identification data, financial data, image or sound recordings, etc.);
  • the categories of recipients of personal data (to whom are the personal data transferred: trading partners, police and judicial authorities, etc.?);
  • any transfers of personal data to a third country (outside the EU and the EEA) or an international organisation;
  • retention periods (per processing purpose and in days, months, years or parameters – for example, the time needed to achieve the intended purpose, the expiry of a limitation period, etc.);
  • description of the technical and organizational security measures taken to protect the data

Retention period?

The GDPR does not specify how long a processing activity must be kept in the register after the processing concerned has ended.

The Data Protection Authority recommends to include processing activities that are discontinued in the register for another five years, as checks by the Data Protection Authority are still possible during the aforementioned period.

In view of those circumstances, it is appropriate to provide an extra column in the register stating the start and end dates of each processing.

To update!

The register must always be up-to-date, in the sense that a new processing activity or a change in the processing activities must be registered.

It is therefore advisable to alert employees within the company to the fact that when new projects are started up, new processing activities may also have to be included in the register and the person responsible within the company must be informed about this.

Sanction?

The lack of a register of processing activities or an incomplete register can be sanctioned with an administrative fine of up to EUR 10,000,000 or up to 2% of the total worldwide annual turnover in the previous financial year, whichever is higher.

If you have any questions about creating or updating your register of processing activities, please do not hesitate to contact us: elisah.vanhecke@vsadvocaten.be.


[1] Personal data concerns all information about an identified or identifiable natural person (not legal entities).
[2] This includes collecting, recording, organizing, structuring, storing, updating or modifying, retrieving, consulting, using, transmitting, disseminating or otherwise making available, aligning or combining, shielding, deleting or destroying personal data.
[3] Companies that employ less than 250 employees are not required to keep a register, unless: (i) the processing is likely to pose a risk to the data subjects (whose personal data are processed) or (ii) the processing concerns special/sensitive data (including health data) or (iii) the processing is not occasional (i.e. not occasional, coincidence or unforeseen – for example the processing of personal data when organizing a competition on the occasion of the company's thirtieth anniversary). The aforesaid (i) risk, (ii) processing of sensitive data (such as employee health data) and (iii) the usual processing of personal data (for example, by maintaining a customer file, personnel file and/or in the case of supplier management) will almost always This means that most SMEs also have to keep a register. After all, even in a pure B2B context, companies process personal data of (contact persons at) customers and suppliers.
[4] As a company, you are the controller if you purpose from and the resources for the processing of personal data. In particular, you have the decision-making power with regard to the processing.

en_GBEN