Record of processing activities
The record of processing activities allows you to make an inventory of the data processing and to have an overview of what you are doing with the concerned personal data.
The recording obligation is stated by article 30 of the GDPR. It is a tool to help you to be compliant with the Regulation.
The record is a document with inventory and analysis purposes, which must reflect the reality of your personal data processing and allow you to precisely identify, among others:
- The actors involved (controller, processors, representative, joint controller, etc.) in the data processing;
- The categories of data processed;
- The purpose of the processing (what you do with the collected personal data), who has access and who are the recipients of the personal data;
- For how long you are retaining the personal data;
- The technical and organizational security measures implemented.
Aside from being an obligation settled up by article 30 of the GDPR, the record is an intern control tool and, as mentioned above, a way to demonstrate your compliance with GDPR. It allows you to document your data processing and to know what questions you must ask yourself before and while processing the data: do I really need a certain data for this specific processing? Is it relevant to retain all this data for so long? Are the data sufficiently protected?
Creating and updating the record are occasions to identify and to hierarchize the processing risks in light of the GDPR.This essential step will allow you to delineate an action plan of your processing complying with data protection rules.
The CNIL introduces here the main elements related to the record and also proposes a record template meeting the conditions settled up by the GDPR.
Who is concerned by the obligation?
The duty to maintain a record of processing concerns, in principle, all entities, both private and public, regardless of their size, provided they process personal data.
Measures for entities with less than 250 employees
Companies with less than 250 employees are not obliged to keep a record. However, they must keep records from the moment that:
- The data processing is non-occasional (example: salary management, customer management/prospect and supplier, etc.);
- The data processing is likely to involve a risk for people’s rights and freedom (example: geolocation systems, video surveillance, etc.);
- The data processing concerns sensitive data (example: health data, breach, etc.).
In practice, this exemption is limited to certain data processing, which are rarely and unconventionally implemented. This can be the case, for instance, of an advertising campaign promoting the opening of a new branch of a company, under the condition that the processing does not present any risk for data subjects. If you are not sure if this exemption applies to you data processing, the CNIL advices you to include it in your records.
What does the record include?
The article 30 of GDPR provides specific requirements for the personal data controller’s record and for the processor’s record. If your organism acts both as a processor and controller, the record must clearly distinguish the two categories of activities.
In practice, in this hypothesis, the CNIL recommends you to keep 2 records:
- One for the personal data processing whom you are the responsible yourself;
- Another one for the processing you perform, as processor, in place of your customers.
The controller’s record must make an inventory of all the processing implemented by your organism.
In practice, a record form must be introduced for each of these activities.
This record must incorporate the name and the contact details of your organism, as well as, if necessary, details about your representative, if your organism is not established in the European Union, and finally, details about your Data Protection Officer if you have one.
Furthermore, for each processing activity, the record’s note must include at least the following details:
- If necessary, the name and contact details of the processing supervisor;
- The processing’s aim, the reason why you have collected these data;
- The category of personal data (e.g.: identity, familial, economic and financial situation, banking data, connection data, localization data, etc.);
- The category of recipient personal data are sent to or will be sent to, including the processor you resort to
- Personal data transfers to another country or to an international organization, and, in some specific cases, the guarantee provided for these transfers;
- The period provided for the erasure of several data categories, in other words the preservation length, or the criterion allowing to determine this length;
- Insofar as possible, a general account of technical and organization security measures you will implement.
The record of the processor must make an inventory of all types of processing activities operated in place of your customers.
In practice, a record note must be established for each type of activity (data hosting, IT maintenance, market research sending service, etc.).
This record must include the name and contact details of your organism, as well as, if necessary, contact details of your representative, (if your organism is established out of the European Union), and details of your data protection officer if you have one.
For each type of activity operated in place of customers, it must include at least the following elements:
- The name and contact details of each customer, processor, for who you process data, and, if necessary, the name and contact details of their representative;
- The name and contact details of the processor you have recourse to in this activity;
- The types of processing operated in place of each of your customers, in other words the operations actually performed for them (for example : for the category “market research sending service”, it can be mail address collect, secured messages sending, subscription cancellation management, etc.);
- Personal data transfer to another country or to an international organization. In some very particular cases, mentioned in the 2nd paragraph of the article 49.1 (lack of balance decision in virtue of the article 45 of GDPR, lack of guarantees appropriated set in the article 46 of GDPR and non-practicability of the exceptions provided in the first paragraph of the article 49.1), the guarantees foreseen to frame the transfers must be mentioned;
- Insofar as possible, a general account of technical and practical security measures you will implement.
What form must take the record?
The GDPR only requires a written form for the record. The record format can be chosen freely, and it can be created on paper or numerically.
To make the holding of the record easier, the CNIL offers a record base model (format ODS), in order to answer to the most frequent needs in terms of data processing, in particular for small organizations (very small firms, small and average-size firms, societies, small communities, etc.)
They allow to satisfy the requirements of the article 30 of GDPR. The CNIL recommends, insofar as possible, to complete the additional mentions record, in order to make it a more global complying tool.
Who must keep this record?
The record must be held by controllers or processors themselves. Thereby, they can have an overview on all activities of personal data processing they operate.
Someone in the organism can be specifically charged with the record. If the organism has been designating a data protection officer (DPO), internal or external, this one can be in charge of the record. The record can be one of the tools allowing the data protection officer to fulfil his complying support mission to the GDPR and his task of informing and advising the controller and processor.
How to make a record?
Gather available details
- Identify and meet the operational supervisors of several services likely to process personal data.
- Analyze the website and identify data collected in online forms (contact, questionnaire, account creation), data protection information statements, cookie usage, etc.
- Use the list of processing declared to the CNIL.
Make a list of processing based on the news collected
- List in a monitoring board the several activities requiring personal data processing. Data processing must be identified by its end and not by the software program used, because a same software can be used for several processing, and in return.
- Operate the details collected during the upkeep. Fill a record form for every activity.
Refine / Clarify
Based on this record, identify and analyze the risks on data processing implemented.
Develop an action plan of complying to GDPR.
At what frequency do you have to update the record?
The record must be updated regularly, according to the functional and practical evolving of data processing. In practice, any change brought to the conditions of processing implementation for each processing subscribed to the record (new data collected, lengthen of the preservation time, new processing recipient, etc.) must be added to the record.
To whom should you communicate this record?
By its nature, this record is an internal and progressive document, which must firstly fulfil the complying mission. Nevertheless, the record must be accessible and communicated to the CNIL when she ask for it. The CNIL will be able to use it for its mission of data processing control.
- Public organisms have to communicate the record to any person who demand it, because it is an administrative document, spreadable to everyone, given the code of relations between public and administration. However, the record communicated must not include any information which could cause damage to secrets protected by law, in particular to the security of information systems.
- Private organisms (not in charge of public service mission) do not have to communicate the record publicly. Nevertheless, they can communicate it to those who ask it when they judge it necessary.
By supplementing the record with complementary details, you can make the record a real control tool of compliance to the GDPR. Indeed, the duty of documentation provided by the GDPR are not restricted to the requirement for a record, provided by the article 30 of the GDPR. Gathering, in one document, all details related to the processing you operate and required by the GDPR will guaranty your compliance to the data protection rules or to identify the actions you need to lead to reach this goal.
This record will also help your data protection officer to fulfil his missions, even to be consulted by any collaborator of the organism being destined to implement data processing.
- For example, by including in your record required details (processing legal base, and depending on the cases, legal outsource of the data transfer to another country, rights that apply to the processing, existence of an automate decision, data origins, etc.) you will be able to stick on your record in order to write your information notes.
- Finally, you can also include to your record an archive of the data violations and make an inventory of all documents linked with data transfer out of the European Union (contractual clauses, etc.) and to processors you resort to (processing contracts).