The record of processing activities

Establishing a record of processing activities

On 25 May 2018, the transition period for the implementation of the GDPR ends and compliance with its stipulations becomes legally mandatory. This also means that data processing operations must satisfy the provisions laid out in the GDPR. The first challenge you will come across and thus the first step in creating a legally sound compliance system in terms of data privacy will be to draw up records of all processing activities.

Such records of processing activities are intended to enable the supervisory authority to review the respective processing operations. For this reason, such records must contain information on all data processing activities of your company. It is thus necessary to identify all data processing operations, document them in a written or electronic format and finally make them available in a concise way in your records of processing activities.

Erasure of Data

Data erasure mechanisms – how to keep an eye on a timely erasure

When establishing a record of processing activities, it shall be documented which personal data are processed by using which automated procedure and which concrete measures are taken in order to protect the data. This includes defining the periods during which the personal data are stored and after which they have to be erased. Such periods will not only be a crucial point of interest for the supervisory authority, but they also serve self-monitoring purposes.

How do you realise the erasure of data in practical terms and which periods apply? The GDPR does not define specific periods after which the data must be erased. As a result, many companies simply state that they will erase data once they are no longer needed and neglect to state specific periods during which data are saved. Such an approach not only makes an external audit more difficult, but it could give rise to the suspicion that the erasure of personal data has not been given due consideration. A good data management solution includes an archive function, deadline reminders and delete functions on the data level. Your company should make sure that storage periods are assigned to data categories and that these are regularly reviewed by the competent department, which also deletes those data categories for which the storage period has expired. Therefore, it can be a good idea for the contact persons of the various departments to use respective functions in their electronic calendars that issue a reminder whenever such a review is due.

Attention! With “the right to be forgotten” the GDPR grants data subjects who have consented to their data being processed the right to have their data erased the moment he or she withdraws the consent. In such a case, a company not only has to stop sending the data subject e.g. promotional emails, but it is also obliged to inform third parties (to whom the data has been transferred) of the data subject’s order to delete the data. Such data must then be erased.

“Mapping” of the technical and organisational measures

One of the important points to finalize the record of processing activities are the technical and organisational measures.To determine which specific safety measures are adequate, the interests of both the company and the data subjects concerned should be considered along with the purpose of the data processing operation, the data categories and other factors. Pseudonymisation, encryption, the implementation of entry controls, physical or electronic access controls, transmission control, order controls or a purpose limitation are adequate measures to legitimately process data according to the GDPR. Further measures could be a rights- and role-based access employee model or external audits.

Key contacts

Portrait ofJohannes Juranek
Johannes Juranek
Managing Partner
Vienna