Record of data processing activities: who, what and how?

8 August 2017

As from the entry into effect of the GDPR (General Data Protection Regulation) on 25 May 2018, many companies will be obliged to maintain a record of data processing activities. This record will replace the current obligation to notify the Privacy Commission. Based on a recent recommendation of this body, it seems that this obligation to maintain a record is very extensive and will apply to almost all companies. The Privacy Commission also published a template record this week.

In our Newsflash of 23 March 2017 we gave you an overview of the companies to which the obligation to maintain a record applies.

According to the GDPR, any company - regardless of its size - that processes personal data “not incidentally” will have to maintain a record of this processing. In its recent recommendation, the Privacy Commission clarifies that client management, personnel management or supplier management can be regarded as “not incidental” processing. Even though these types of processing currently benefit from an exemption from the notification obligation with the Privacy Commission, they will now have to be included in a record as from the entry into effect of the GDPR. The Privacy Commission therefore changes its earlier position that those types of processing that  benefitted from an exemption from the notification obligation could be considered as incidental and therefore would not result in an obligation to maintain a record.

This new position of the Privacy Commission implies that every company that keeps data on its personnel, clients and/or suppliers or other persons, will have to maintain a record of its processing activities. In practice, virtually every company will thus have an obligation to maintain a record. The types of processing that have to be included in the record can differ depending on the size of the company.

In addition, the Privacy Commission has confirmed that it generally recommends all data controllers and data processors to maintain a record in the framework of the “accountability obligation”.

The Privacy Commission further clarifies that the record can be maintained electronically as well as on paper and that the matter at hand is a “dynamic” obligation, meaning that the record has to be updated continuously.

This week the Privacy Commission published a template record in Dutch and French that could be a preliminary aid in mapping the data streams within a company. The Privacy Commission has clarified that the template register is not an official document, and that other registers are also allowed. In any event, the register will have to be tailored to your company. You can download the template register with the following links in French or Dutch.

> Action point
Almost all companies processing personal data will have to maintain a record of such. Claeys & Engels is happy to assist you in this.