In order to assist each professional in his/her GDPR compliance, the Belgian Data Protection Authority (DPA) publishes two new simplified templates for records of processing activities that are adapted to numerous cases of data processing.
What are records of processing activities?
Article 30 of the GDPR requires all organisations (public and private) of any size that process personal data to hold records of processing activities.
Records of processing activities must identify:
- the name and contact details of the data controller and, where applicable, of the joint data controller, and of the data controller’s representative;
- the name of the data protection officer (when applicable);
- the categories of data processed;
- the purposes for which the data are collected;
- the list of recipients of the data (e.g. internal departments and external bodies such as your data processors);
- the periods of time and criteria for storing the data for each purpose of processing;
- the organisational and technical security measures in place to secure access to the data;
- transfers of data to countries outside the European Economic Area (EEA), (e.g. if one of your data processors uses servers located outside the EEA);
- and where applicable, the safeguards taken in connection with that transfer of data outside the EEA.
For data processors who handle personal data on behalf of another organisation (the data controller), the regulation also provides for records to be kept.
Records must include:
- the name and contact details of the data processor, and of each controller on behalf of which the processor is acting;
- the name of the data protection officer;
- the categories of processing carried out on behalf of each controller;
- where possible, a general description of the technical and organisational security measures;
- (potential) international transfers of such data outside the EEA.
Records of processing activities: a fundamental tool for GDPR compliance
Having records of processing activities is not only a legal obligation and a document that demonstrates your GDPR compliance, but also an internal management tool that gives you an overview of the processing activities of your company.
In addition, records help you better understand the personal data you are processing and help you question the relevance of using and retaining it for your business. It also helps you maintain visibility of all your data processors who manage personal data on your behalf.
A simple and user-friendly format proposed by the DPA
These templates are available in .xlsx format and contain explanations and examples to help you fill in the necessary information.
In addition, this format is easy to update so that it is ready to be made available to the DPA in case of inspection.
Do you prefer the old, more elaborated format?
Don’t worry, this one is still available here.
New templates for records of processing activities
Simplified version for data controllers.
Simplified version for data processors.
Need a helping hand filling in your record of processing activities?
A few definitions
Who is the data controller?
According to the GDPR, the data controller is the legal person (company, municipality, etc.) or natural person who determines the purposes and means of the personal data processing activities.
Who is the data processor?
The data processor is the legal or natural person (company or public body) who processes personal data on behalf of a data controller. For example a corporate email service stored on an external cloud service, or a customer management software also stored on a cloud service.