Belgian Privacy Commission Recommendation on Mandatory Record of Processing Activities Under GDPR
- 16/06/2017
- Articles
On 14 June 2017, the Belgian Privacy Commission (the “Privacy Commission”) published a recommendation regarding the obligation for controllers and processors to maintain a record of processing activities in accordance with Article 30 of the General Data Protection Regulation (“GDPR”). The obligation to keep such an internal record will apply as of 25 May 2018, and from that date, the Privacy Commission (or its successor) will have the authority to request the record.
The recommendation explains the aim of the requirement to keep an internal record. In the first place, the internal record serves as an accountability instrument. In order to comply with the GDPR, it is necessary that data controllers and processors create an overview of all processing activities within their organisation. Furthermore, the internal record must be made available to the national data protection authorities.
In the recommendation, the Privacy Commission explains that the obligation to keep an internal record under Article 30 of the GDPR applies both to data controllers and data processors (or their representatives if the controller or processor does not have an establishment in the European Union). In principle, the GDPR exempts companies with fewer than 250 employees from the obligation to keep internal records unless (i) their data processing activities can contain risks for the rights and freedoms of individuals; (ii) the processing is not occasional; or (iii) the processing involves sensitive or judicial data. Nevertheless, the Privacy Commission recommends that all controllers and processors maintain internal records, but considers that small and medium-sized companies may choose not to include their occasional processing activities in their internal record. Indeed, it seems beneficial for companies to keep an overview of their processing activities in order to organise their data protection compliance.
The obligation under Article 30 of the GDPR replaces the current obligation to notify data processing activities to the Privacy Commission. The notification obligation will be abolished when the GDPR starts to apply. The Privacy Commission is of the opinion that the existing notifications that were published in the register which is available on the Privacy Commission’s website will provide a useful source of information for companies to establish their internal records. The recommendation goes on to compare the obligation under Article 30 of the GDPR with the current notification obligation and indicates that the guidance which is available for completing the notification form can provide useful information for the drafting of the internal records, for instance with regard to the definition of the purposes of the processing activities, the categories of data and the categories of recipients.
The record will have to list all pre-existing and new processing activities and the register will have to be kept up to date. Therefore, the Privacy Commission encourages the introduction of a warning system for updating the record. It also recommends that professional associations create template records tailored to the needs of their sector.
Finally, the record must be made in writing and has to be available electronically. It has to be designed in such a way that it can be made available at the supervisory authority’s first request. For this reason, the record also has to be reader-friendly and the content easy to comprehend.
The recommendation is available on the website of the Privacy Commission in Dutch and in French.