When is it necessary and how to develop a register of processing activities?

Service

The register of processing activities is the basic document that will be requested by the authority controlling the entrepreneur in terms of the correctness of personal data processing. For this reason, when running a business, it should be clearly verified whether we must have such a document. Read our article for more information on this topic!

Who must keep a register of processing activities?

Pursuant to Art.30 GDPR, the register of processing activities must be kept by each administrator (in exceptional cases, the administrator's representative). The controller is a natural or legal person, public authority, unit or other entity that independently or jointly with others determines the purposes and means of processing personal data.

However, the aforementioned regulation provides for exceptions for entrepreneurs or entities employing fewer than 250 people. Such entity does not need to keep a register, unless the processing activities it carries out:

  • may pose a risk of violating the rights or freedoms of data subjects,

  • are not of an occasional nature or include special categories of personal data,

  • they concern convictions and violations of the law.

One of the above circumstances is enough for an entrepreneur employing less than 250 people to be obliged to keep a register. In practice, these exemptions raise many doubts, in particular as regards the interpretation of the occasional nature of processing activities. Everything indicates that the control authorities will be guided by the guidelines of the European Data Protection Board when interpreting this concept, which gives the following example:

The processing of personal data by even a small number of employees by a small organization "cannot be considered" occasional "and must therefore be included in the record of processing activities. However, other processing activities which are in fact "occasional" do not need to be included in the register of processing activities, provided that they are unlikely to involve a risk to the rights or freedoms of natural persons and do not cover special categories of data or personal data relating to convictions and prohibited acts ”.

Therefore, each economic entity must keep a register of activities, showing in it, for example, the processing of personal data of its employees. Only self-employed persons who do not systematically process personal data are a clear exception to this rule. Of course, these entrepreneurs are not exempt from the general principles of ensuring the security of personal data, which they process occasionally.

What should the register of processing activities contain?

The register of processing activities compliant with the GDPR should contain at least the following elements:

  • name and surname or name and contact details of the controller and any joint controllers, and - if applicable - the controller's representative (applies to a situation where the controller has no organizational units in the EU) and the data protection officer (if appointed);

  • the purposes of the processing;

  • a description of the categories of data subjects and the categories of personal data;

  • categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries or in international organizations;

  • where applicable, information on the transfer of personal data to a third country or an international organization, including the name of that third country or international organization (in the absence of a Commission decision stating that the third country, territory or specific sector or specific sectors in that third country or an international organization ensures an adequate level of protection - additionally, documentation of appropriate safeguards);

  • if possible, the planned dates of deletion of individual data categories;

  • where possible, a general description of the technical and organizational security measures.

In what form and how to keep a register of processing activities?

Pursuant to Art. 30 sec. 3 GDPR, the registers are in written form, including electronic form, which gives the entrepreneur a lot of freedom in this regard. In a small enterprise with fixed areas of operation and a small amount of processed personal data, the traditional written method can be used. However, usually the electronic version will be much more convenient due to the possibility of ongoing editing of individual elements. The regulations do not clearly indicate that a document in electronic form would also have to be stored in the form of a printout. However, it is worth systematically creating backups of documentation regarding the protection of personal data (including the register of activities) or printing it from time to time.

The form that guarantees the best transparency of the register is the form of a table prepared, for example, in a text editor or Excel. An example of such a table is presented below:

Table 1. Template of a sample record of processing activities for an entity that does not send personal data to third countries and international organizations

Purpose of processing

Categories of people

Data categories

Legal basis for processing

Planned date of removal

data categories

Name of the joint administrator

and contact details

Recipient - processor

and contact details

Audience categories

General description of technical and organizational security measures

Running a website using the image of employees and clients

Employees and customers

Image

Consent, art. 6 sec. 1 point a GDPR

Termination of the employment relationship or 2 years from the date of publication of the data on the website

Enter if there is an entity that together with the administrator sets the purposes and methods of processing

We enter the data of an external entity that provides website support

We only enter if we provide this data to entities other than the processor

We enter security measures if it is possible

The purpose of processing may be directly related to the processing activity, which, in the opinion of the President of the Personal Data Protection Office, means a set of related data operations performed by one or several persons, which can be defined collectively, in relation to the purpose for which these steps are taken. Further processing purposes can be entered in the following lines of the table.

Categories of people are groups of people whose data we use in the course of a specific processing activity. Data categories are nothing more than specific types of data, which can include, inter alia, telephone number, e-mail address, education data, address data, identification data or, as in the example provided, image.

The legal basis is not an absolutely required element in keeping the register. However, the most serious charge that an entrepreneur may face is illegal processing of personal data. For this reason, at least for the sake of self-control, it is worth clearly defining the basis entitling the administrator to process data for each processing activity. This can be done by pointing to one of the premises set out in the GDPR, i.e .:

  • the data subject's consent to the processing of their personal data for one or more specific purposes;

  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

  • processing is necessary to fulfill the legal obligation incumbent on the controller;

  • processing is necessary to protect the vital interests of the data subject or of another natural person;

  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority entrusted to the controller;

  • processing is necessary for the purposes of the legitimate interests pursued by the administrator or by a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular when the data subject is a child.

Start a free 30-day trial period with no strings attached!

The planned date of data deletion is a date that may result from legal regulations, e.g. insurance law or the act on the national archival resource and archives. Most often, however, it is the administrator who sets the date of data deletion. According to the GDPR, the period of data storage should be as short as possible, e.g. personal data obtained during recruitment should be deleted immediately after the end of this process.

Another information that should be included in the register of processing activities is data on other entities involved in the processing of personal data for which the entrepreneur is the administrator. These will be co-administrators (entities determining together with the administrator the purposes and methods of processing) and data recipients. Recipients should be divided into two groups, the first are entities processing data at the request of the administrator, i.e. all external companies to which orders are transferred along with personal data (e.g. companies keeping accounting for the entrepreneur). An indispensable element of the transfer of personal data by the administrator to such entities is a written entrustment agreement. The second group includes other entities, which are not processors, to whom personal data are transferred without a processing agreement, most often in order to fulfill the legal obligations imposed on the administrator (eg ZUS, Tax Office, etc.).

The last mandatory element of the register is the description of the technical and organizational security measures that have been applied to protect personal data. There are no clear guidelines on how to formulate this description, and we only include it in the register where possible. In this description, we can refer to technical security measures in the form of access control measures (e.g. use of access code doors, lockers, etc.) and organizational measures (e.g. use of specific employee conduct procedures, staff training, etc.).

Register of processing activities and the register of categories of processing activities

Finally, it is worth noting that the register of processing activities is not the same as the register of categories of processing activities. The second register can most simply be described as a shortened form of a processing activity register containing only the following elements:

  • the name and contact details of the processor or processors and any controller on whose behalf the processor acts;

  • the categories of processing performed on behalf of each controller;

  • where applicable, information on the transfer of personal data to a third country or an international organization, including the name of that third country or international organization;

  • where possible, a general description of the technical and organizational security measures.

The above register should be kept by processors, unless the entrepreneur is both a data administrator and an entity processing data at the request of another company. In this case, both registers should be kept.

As you can see, keeping a register of personal data processing activities is not an activity that requires a lot of work or resources. Besides, once created, it can serve the entrepreneur for many years, subject to only slight modifications. Considering that it is a document required by law, the lack of which, in the event of an inspection, may expose the entrepreneur to serious financial losses, it is simply worth having.