According to the GDPR, the term ‘records of processing activities’ means information about personal data processing activities in your organization - in other words, what personal data your organization processes, why, where and how the data is stored, and who can access it. In other words personal data processing activities are activities, procedures, processes or sets of processes of an organization that involve the personal data. For example, organizations keep information about their employees for the purposes of payroll processing. Organizations should keep records of basic information about each such process (personal data processing activity) and be able to answer basic questions, especially:
- What personal information do I keep in my records? - What personal data is involved in a particular process and how long can I keep this data for?
- Why do I process the personal data? - For what purpose am I processing personal data? This is a crucial issue for proving the legitimacy of data processing and for a correct record keeping.
- Where is the data stored, where is it processed and how? - In what system (software, hardware, paper folder) the information is kept and is it well secured in there?
- Who can access the personal data and for what reason? - Which employees, processors and other parties have access to personal information and why?
What must be included in the records of personal data processing activities?
The GDPR defines (in Article 30) which specific data must be included in the documentation about personal data processing:
- name and contact details of the data controller and, as the case may be, any joint controller, contact details and name of the responsible person and the DPO where applicable
- title of the personal data processing activity (e.g. “payroll - employee information”)
- the purpose of personal data processing of a given activity
- the personal data being processed (individual data or categories of data)
- Information about processor or, where applicable, recipients or the categories of recipients to whom personal data is made available
- information on data transfers to third countries (and recipients in those third countries)
- information on deadlines for erasure (if possible)
- information on the countermeasures taken in order to protect the personal data
Companies in the role of data controllers should have answers to the above-listed questions. Although they are not obliged by the GDPR to keep this kind of records, this will make it easier for them to respond to people’s queries and they will greatly enhance their capacity to prove their GDPR compliance to any inspection, since records of data processing activities are the key proof of the responsibility taken by the organization when processing personal data, and they are also one of the inputs for the inspection by the Supervisory Authority.
Can you give me some examples of records of processing activities?
- payroll procedure
- customer personal data kept for business purposes
- customer personal data kept for marketing purposes (e.g. newsletter)
Who must keep records of personal data processing activities?
Records of personal data processing activities must be kept by organizations with more than 250 employees, or organizations that process personal data in a way that is likely to pose a risk to the rights and freedoms of data subjects and the processing is not occasional or involves processing of special categories of data or personal data concerning judgments in criminal matters.
Although record-keeping of processing activities is not mandatory for all data controllers, it is advisable to do so because it can be of a big help. Such records provide a very useful source of information in order to, for example, get an idea about what personal data is stored by the organization. But not only that. They contain all the information necessary to fulfil the people’s (data subjects) rights, ie. providing them with responses and handling their requests. Finally, by keeping records of processing activities, an argumentation base for the supervisory inspection is being created.