The record of processing activities

Establishing a record of processing activities

On 25 May 2018, the transition period for the implementation of the GDPR ends and compliance with its stipulations becomes legally mandatory. This also means that data processing operations must satisfy the provisions laid out in the GDPR. The first challenge you will come across and thus the first step in creating a legally sound compliance system in terms of data privacy will be to draw up records of all processing activities.

Such records of processing activities are intended to enable the supervisory authority to review the respective processing operations. For this reason, such records must contain information on all data processing activities of your company. It is thus necessary to identify all data processing operations, document them in a written or electronic format and finally make them available in a concise way in your records of processing activities.

Requirements

Requirements your company must meet at a glance

Dynamic records
The record of processing activities is “dynamic”, i.e.,  all identified or defined data processing operations shall be reviewed on a regular basis with regard to the question whether the processes still run the same way as they initially have been determined and documented. If processing activities change due to, e.g., changes in the company’s demands, this has to be mirrored in the record of processing activities. For this reason, the responsible contact person at the respective department should be contacted on a regular basis, e.g., once a year. 

History
Your company is required to prove (at any time) that personal data has been processed in a lawful manner (at all times). This follows that the record of processing activities shall contain a history that has to be kept updated in order to prove compliance with the GDPR, also for a past period of time.

Contact persons
With regard to contact persons, the GDPR only stipulates that the data controller, its representative and, where applicable, the data protection officer shall be named as contact persons. However, it will facilitate the work of a supervisory authority and reduce the amount of follow-up questions in the course of an audit, if, additionally to the information explicitly required by the GDPR, the record names the persons responsible for the respective processing activities (e.g. name and contact details of the head of HR, head of IT, etc.).

Key contacts

Picture of Johannes Juranek
Johannes Juranek
Managing Partner
Vienna
Picture of Ines Freitag
Ines Freitag
Associate
Vienna