Do human resources need to keep a register of personal data processing activities?

Service

In accordance with the issue No. 82 included in the introduction to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation), hereinafter referred to as GDPR: in order to comply with this Regulation, the controller or processor should keep records of the processing activities for which they are responsible. Each controller and processor should be required to cooperate with the supervisory authority and, upon request, provide it with those records in order to monitor those processing operations.

It is worth recalling that in Art. 30 GDPR, two different registers of processing activities that should be kept by entities processing personal data:

  • register of processing activities kept by the administrator,

  • a register of the categories of processing activities kept by the processor.

Register of personal data processing activities - required information

Pursuant to Art. 30 sec. 1 GDPR, each administrator and - where applicable - the administrator's representative keep a register of personal data processing activities for which they are responsible as a result of appropriate arrangements with another processor or joint arrangements with co-administrators. The above article lists the relevant content that should be included in the activity processing register, i.e .:

  • the name and contact details of the controller and any joint controllers, and, where applicable, the controller's representative and the data protection officer;

  • the purposes of the processing;

  • a description of the categories of data subjects and the categories of personal data;

  • categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries or in international organizations;

  • where applicable, the transfer of personal data to a third country or an international organization, including the name of that third country or international organization, and in the case of transfers referred to in Art. 49 sec. 1, second paragraph, documentation of appropriate safeguards;

  • if possible, the planned dates of deletion of individual data categories;

  • where possible, a general description of the technical and organizational security measures referred to in Article 32 sec. 1.

However, according to Art. 30 sec. 2 GDPR, each processor keeps a register of all categories of processing activities performed on behalf of the controller, containing the following information:

  • the name and contact details of the processor or processors and each controller on whose behalf the processor is acting, and where applicable, the representative of the controller or processor and the data protection officer;

  • the categories of processing performed on behalf of each controller;

  • where applicable - transfer of personal data to a third country or international organization, including the name of that third country or international organization;

  • where possible, a general description of the technical and organizational security measures.

It should be added that the above-mentioned registers are in writing, including in electronic form. On the other hand, the controller or processor shall make the register available at the request of the supervisory authority.

Exception from keeping a record of activities

It is worth mentioning that the obligation to keep a register of activities does not apply to an entrepreneur or entity employing fewer than 250 people, unless the processing they carry out may cause a risk of violating the rights or freedoms of data subjects, is not occasional or covers special categories of data personal data or personal data relating to criminal convictions and offenses.

No definition of "processing activities"

It is worth noting that the content of the above-mentioned Regulation of the European Union on the GDPR and the Polish Personal Data Protection Act of May 10, 2018 (Journal of Laws of 2018, item 1000) does not clearly explain the concept of processing activities. In studies on the GDPR, reference is made to "processing activities" for the purposes of data processing. One of the recommendations relates to "actions as specific actions taken on data as part of each goal. If the purpose was to send commercial information by electronic means, the processing activity would be obtaining, reading, saving, sending and modifying data for this purpose. In this respect, it could be concluded that within each of the purposes of data processing, we usually deal with at least two activities, such as obtaining and reading personal data "cf. [in] Commentary on the GDPR Dr. Paweł Litwiński, ed. 2018 (recommendation issued by the Belgian data protection authority (Privacy Commission) No. 06/2017 of June 14, 2017). Moreover, it is indicated that in Art. 30 GDPR, it is a register of activities. The administrator who processes personal data should inform the persons whose data he processes, inter alia, about the purpose of their processing.

Should the HR department keep a register of personal data processing activities?

The HR services keep various types of registers regarding employees, which contain data of employees, contractors, job candidates collected in the recruitment process, data related to medical packages for employees or related to the management of the Company Social Benefits Fund. It should be noted that the register of personal data processing activities is a list of all data files kept by the administrator. It should contain all the information described in Art. 30 sec. 1 and 2 GDPR. Therefore, the subsequent cycles that make up the data processing process in individual data sets should not be included in the processing activities.

In view of the above, it is worth emphasizing that in accordance with the above-mentioned Article 30 of the GDPR, the HR department will not be required to register every HR activity. Based on the information presented on the website of the General Inspector of Personal Data, the register of legal activities is a kind of information card, which includes an indication of the entity processing personal data, the purpose of data processing, the category of persons, and the period of data storage.

In conclusion, it should be emphasized that the provisions on the GDPR apply in the HR department. Employee data sets should be included in the data processing register. It is worth pointing out that there is no obligation to describe each HR activity in the register of processing activities. It should be noted that only the description of the category of data subjects is provided, without any specific information about these people.