This post has been updated.
The Belgian Privacy Commission (the “Belgian DPA”) recently released a Recommendation regarding the requirement to maintain internal records of data processing activities (the “Recommendation”) pursuant to Article 30 of the EU General Data Protection Regulation (“GDPR”).
The Recommendation aims to provide guidance to data controllers and data processors in establishing and maintaining internal records by May 25, 2018. As of that date, the internal records requirement must be complied with, and the Belgian DPA must be able to request that such records are made available to it.
Key takeaways from the Recommendation are summarized below:
- Responsibility in maintaining internal records. The obligation to maintain internal records applies both to data controllers and data processors (or their representatives, if the data controller or processor does not have an establishment in the European Union). The requirement to maintain internal records does not apply, however, to companies or organizations with fewer than 250 employees, unless (1) their data processing activities are likely to result in a risk to the rights and freedoms of individuals, (2) the processing is not occasional, or (3) the processing includes sensitive personal data or personal data relating to criminal convictions and offenses. Despite these exceptions, the Belgian DPA recommends that all controllers and processors maintain internal records. With respect to SMEs, however, the Belgian DPA is not opposed to the creation of internal records only for regular processing activities, and not for occasional processing activities.
- Aim of such requirement. Maintaining internal records is a cornerstone of the accountability regime under the GDPR. Internal records must be made available to supervisory authorities. The requirement to maintain internal records replaces the requirement to file national registrations of data processing activities, which often was seen as inefficient and burdensome for companies. In this respect, the Belgian DPA notes that existing national registrations that were previously filed might be, to a certain extent, useful in creating internal records. However, companies must be aware of the differences between internal records and existing national registrations. Among others differences, the Belgian DPA notes that the obligation to file national registrations was applicable only to data controllers, and not to data processors.
- Content of internal records. Internal records must cover all processing activities carried out on May 25, 2018, whether such processing activities were previously or recently initiated.
- Internal records maintained by data controllers must contain the following information: (i) name and contact details of the controller and where applicable, joint controller and the controller’s representative; and (ii) name and contact details of the data protection officer (the “DPO”), if any (this does not exempt the data controller from the requirement to notify supervisory authorities of the name and contact details of the DPO); (iii) clear and detailed information regarding the purposes of the processing; (iv) a description of the categories of data subjects; (v) a description of the categories of personal data; (vi) the categories of recipients, whether internal or external, including recipients in third countries or international organizations; (vii) information about data transfers to a third country, including the identification of such third country, and where applicable, the documentation of suitable safeguards; (viii) envisioned time limits for erasing the data, or, according to the Belgian DPA, the criteria used to determine the retention period; and (ix) a general description of technical and organizational security measures implemented.
- Data processors, on the other hand, must maintain internal records containing the following information: (i) name and contact details of the processor and where applicable, the processor’s representative; (ii) name and contact details of each controller on behalf of which the processor is acting, and where applicable, the controller’s representative; (iii) name and contact details of the data protection officer (if any); (iv) categories of processing carried out on behalf of each controller; (v) information about data transfers to a third country, including the identification of such third country, and where applicable, the documentation of suitable safeguards; and (vi) a general description of technical and organizational security measures implemented.
According to the Belgian DPA, nothing prevents controllers and processors from including other information in the internal records. In that respect, controllers and processors could take their past national registrations into account. In addition, the Belgian DPA recommends that controllers and processors consider including in internal records information about applicable legal basis, data protection impact assessments, and personal data breaches.
- How to establish internal records. These records must be in writing and available in electronic form, and must be clear and understandable. The Belgian DPA recognizes some flexibility with respect to the format used to maintain the records. In addition, internal records must be kept up-to-date and the Belgian DPA recommends that controllers and processors keep them for accountability purposes, taking into account applicable statutes of limitation. The Belgian DPA also recommends that, in creating internal records, controllers and processors involve each member of their personnel working at an operational level who are capable of identifying the relevant processing activities.
- Recipients of the internal records. Upon request, controllers and processors must make such records available to the supervisory authority. The Belgian DPA, however, notes that internal records are not intended to be viewed by data subjects or the general public.
- Sanctions. The Belgian DPA states that failure to comply with the obligation to maintain internal records may result in an administrative fine of up to 10,000,000 EUR or 2% of the company’s global annual turnover, whichever is higher.
UPDATE: The Belgian DPA has released a template for the register of processing activities that can be used by companies. The template contains more information than what is required under the GDPR and companies are therefore not obligated to use it. Information that is strictly necessary to comply with the requirement of the GDPR to maintain internal records is highlighted in red.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code