How to build your records of processing activities under the GDPR?
The records of processing activities is one of the key documents required under the GDPR. How do you build it in practice? What information must it contain?
STARTUPS — LEARN HOW TO BUILD YOUR GDPR PROCESSING RECORDS!
The records of processing activities is one of the key documents required under the GDPR. It allows you to map the personal data processing activities carried out by your startup and to demonstrate your compliance.
How do you build a record? What information must it contain? What is the difference between the data controller's record and the processor's record?
1. What is a records of processing activities?
The records of processing activities is a document required under Article 30 of the GDPR that allows a company to inventory the personal data processing activities it carries out.
The record is an essential GDPR compliance management tool, as it allows you to:
- identify the personal data processing activities carried out;
- map data flows;
- obtain an overall view of the risks involved;
- document the company's compliance;
- facilitate inspections by data protection authorities.
The record must be maintained in writing, including in electronic form.
Warning: even small startups may be required to maintain a record where the processing activities carried out are not occasional, involve risks to the rights and freedoms of data subjects, or relate to sensitive data.
2. The data controller's record
When your startup acts as a data controller, the record must contain in particular:
- the name and contact details of the data controller;
- the purposes of the processing;
- a description of the categories of data subjects;
- a description of the categories of personal data processed;
- the categories of recipients;
- any transfers outside the EU;
- the envisaged time limits for the erasure of data;
- a general description of the technical and organizational security measures in place.
Each processing activity must be the subject of a separate entry.
Examples of processing activities:
- human resources management;
- customer management;
- commercial prospecting;
- supplier management;
- job application management.
Need help building your GDPR records?
Processing records, data mapping, privacy policy, contracts and GDPR compliance: get support from African Legal Factory.
3. The processor's record
When your startup acts as a processor within the meaning of the GDPR, it must also maintain a record.
This record must contain in particular:
- the name and contact details of the processor(s);
- the categories of processing carried out on behalf of each data controller;
- any transfers of data to third countries;
- a general description of the technical and organizational security measures in place.
Examples: SaaS platforms, hosting providers, mailing solutions, HR or CRM service providers.
Warning: the GDPR now imposes direct obligations on processors, who can no longer simply execute the instructions of the data controller without documenting their own compliance.
4. What format should the record take?
The GDPR does not prescribe a specific format.
The record may be maintained:
- as an Excel spreadsheet;
- using dedicated software;
- within a governance or compliance tool;
- in a shared document accessible to the relevant teams.
The key requirements are that it must be:
- up to date;
- accessible;
- documented;
- understandable;
- made available to supervisory authorities upon request.
5. Our recommendations
- Start by identifying all personal data flows within your startup;
- Consult business teams to map out actual processing activities;
- Create one entry per processing activity;
- Update the record regularly;
- Document subprocessors and international transfers;
- Link the record to your other GDPR documents (privacy policy, contracts, breach management procedure, etc.).
The records of processing activities is often the practical starting point for a GDPR compliance project.
References
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data;
- Guidelines of the European Data Protection Board (EDPB);
- Practical guides and templates published by European data protection authorities.
I would like support with my personal data protection compliance
Fill in the form to be contacted by the African Legal Factory team regarding your processing records, GDPR compliance or legal documentation.
By completing this contact form, African Legal Factory collects and processes your personal data as data controller in order to respond to your enquiries.
You have the right to access, rectify, object to, erase, restrict, port your data, and to provide instructions regarding its handling after your death.
For more information on the processing of your personal data, please consult our Privacy Policy.
STARTUPS, LEARN HOW TO CREATE YOUR RGPD-COMPLIANT REGISTERS OF PROCESSING ACTIVITIES!
Keeping a register of processing activities is mandatory if your startup processes personal data (as controller and processor) with regard to European regulations (RGPD). What are the obligations imposed by Article 30 of the RGPD? How to keep records of personal data processing?
If you don’t know how to answer these questions, this article will help you understand how to create your treatment registers.
1. WHAT ARE THE RGPD OBLIGATIONS?
Unlike in many African countries (e.g. Morocco with the CNDP), it is no longer necessary to carry out prior formalities (requests for authorization or declaration of processing) with personal data protection supervisory authorities within the European Union.
On the other hand, in application of theaccountability principle, startups must implement internal mechanisms and procedures enabling them to demonstrate compliance with data protection rules at any time in the event of an audit.
One of the obligations linked to the principle ofaccountability is the obligation to keep a register of processing activities, whether the startup is acting as data controller or data processor.
2. WHAT ARE THE PREREQUISITES FOR DRAWING UP THIS REGISTER OF PROCESSING ACTIVITIES?
The following are the essential steps to be taken when drawing up data processing registers:
1. Identify the personal data processing carried out by the startup. This mapping of processing operations is carried out via an audit and inventory of the various purposes for which personal data is processed within the startup. To carry out this mapping, it is necessary to :
- Raise the awareness of the startup’s employees on the subject of personal data protection;
- Integrate all current projects into process mapping;
- Distinguish between professions/departments concerned by the processing of personal data;
- Ask the right questions to detect all the processes carried out by the startup. In this respect, it is advisable to target the information requested from employees according to the elements required to establish your processing registers.
2. Identify the qualification within the meaning of the RGPD of the startup for each processing purpose to find out whether it should be quality of “Data controller” or subcontractor(data processor) or even jointcontroller (joint controllers).
Pursuant to Article 4 of the RGPD:
- The data controller is ” the person who determines the purposes and means of processing “.
- The processor is ” the natural or legal person, public authority, department or other body that processes personal data on behalf of the controller.”
Indeed, depending on its qualification under the RGPD, if the startup acts as a controller and processor, it will have to keep two separate registers of processing activities.
3. WHAT DOES YOUR DATA PROCESSING REGISTER CONTAIN?
Depending on your qualification, your data processing register must contain the following information:
| Data controller | Subcontractor | |
| Information | Name and contact details of the controller and, where applicable, of the joint controller, the controller’s representative and its DPO | Name and contact details of the processor(s) and of each controller for whom the processor is acting and, where applicable, of its DPO and representatives |
| Purposes of processing< | Categories of processing carried out on behalf of each controller | |
| Categories of people concerned< | Data transfers outside the EEA – identifying the third countries concerned | |
| Categories of personal data | General description of “as far as possible” technical and organizational security measures | |
| Categories of recipients, including those outside the EEA | ||
| Data transfers outside the EEA – identifying the third countries concerned | ||
| Duration of data deletion | ||
| General description of “as far as possible” technical and organizational security measures |
4. OUR TIPS FOR DRAWING UP TREATMENT REGISTERS
We recommend :
- Indicate only the information strictly required by the RGPD.
- Use a format adapted to the startup (Excel, Word or startup-specific software).
- Use a format that enables rapid export or printing in the event of a request from the supervisory authority.
- Restrict access to registers to those who need to have access in order to carry out their duties.
- Keep registers up to date in the event of changes in the processing of personal data or at least every 6 months
In practice, your records should reflect what is actually and effectively implemented in your start-up.
4. WHY KEEP RECORDS OF PROCESSING ACTIVITIES?
Practical benefits: the data processing register is a management tool that gives you an overview of all personal data processing carried out within your startup. It enables you to comply with theaccountability principle by demonstrating your compliance with the RGPD.
This also allows you to meet other RGPD obligations, for example:
- identify any “sensitive” processing operations requiring an impact analysis;
- ensure that retention periods are proportionate to the purposes for which personal data is processed;
- implement security measures adapted to the processing and categories of personal data.
Avoid financial penalties of up to 2% of the startup’s annual worldwide sales or a €10 million fine (whichever is greater).
References:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
- Guidelines, recommendations and best practices published by the European Data Protection Committee (EDPS);
- Guidelines of the Article 29 Working Party (G29) approved by the EDPS ;
- Guidelines from European data protection authorities (e.g. France’s Commission Nationale de l’Informatique et des libertĂ©s (CNIL), the UK’s Information Commissioner’s Office (ICO), Spain’s Agencia de Protection de Datos (APD), etc.).
