Jul 212017

The Belgian Data Protection Authority Publishes Guidance on Records of Processing Activities Under the GDPR

William RM Long, Geraldine Scali and Thomas Fearon
, , , ,

The Belgian Commission for the Protection of Privacy (“Privacy Commission”) has recently published guidance on Article 30 of the GDPR which contains the obligation for data controllers and processors to record their processing activities.

This record will have to be up-to-date by 25 May 2018 and readily made available to the regulator should it ask to view it.

In its guidance the Privacy Commission goes into a large amount of detail regarding what information the record should contain, namely:

  • The name and contact details of the data controller (and joint controller), its representative and its data protection officer.
  • The purpose of each processing activity. The Privacy Commission explains that any general description (e.g. HR administration) will have to be completed by more specific descriptions. The Privacy Commission recommends the use of the existing list of purposes contained in the explanatory note of the current notification form as an example.
  • The categories of data processed (e.g. identification data (including national security number), financial data, employment data, recordings of images and sound, etc.). The Privacy Commission recommends that sensitive personal data is identified as such in the record.
  • The type of data subjects concerned by the processing activities (e.g. employees, clients, suppliers).
  • Categories of recipients to whom the personal data is being disclosed, including whether they are located inside or outside the EEA and whether they are internal or external to the processing organisation (tax authorities, business partners, social security, police, etc.). The Privacy Commission specifies for data sent outside of the EEA that  the country to which data is routed needs to be named in the record, the competent authority needs to be warned of the transfer, and appropriate safeguards need to be put in place to protect the data (with a contract for example, a copy of which should be inserted in the record). Data can only be transferred outside the EEA for a compelling, legitimate interest of the organisation.
  • How long data will be kept before erasure. The Privacy Commission acknowledges that recording an estimate of days, months or years may not be appropriate; instead, recording parameters such as time needed to manage disputes or the expiration of a limitation period may be best-suited.
  • The technical and organisational measures taken to ensure a level of security appropriate to the risk.

The Privacy Commission also explains that only information relevant to the processing activities must be recorded by data processors.

The GDPR contains an exemption to the recording obligation for organisations employing fewer than 250 people (SMEs) unless the processing carried out:

  • is likely to result in a risk to the rights and freedoms of data subjects;
  • is not occasional (examples of non-occasional processing activities given by the Privacy Commission are those relating to client management, employee management and supplier management); and
  • includes sensitive data.

The Privacy Commission recommends that all data controllers and processors maintain a record of processing activities (but only those relating to non-occasional processing for SMEs).

The Privacy Commission does not in its Guidance impose a specific format for the record. However, it has reserved the possibility to set a standard format which would form the basis of the record. This would be helpful for processing organisations and align with activities of other European regulators such as the French CNIL which recently issued a standard cross-sector template record. Ideally an EU-wide template should eventually be created by the Article 29 Working Party so that multinational processing organisations do not have to prepare country-specific records.

The Privacy Commission insists on the fact that the record must be a live document that should constantly be updated taking into account any new processing activity of the organisation. It should however be in writing and available in electronic format in any language with the possibility for the Privacy Commission to request a translation of the record in one of the Belgian official languages (i.e. Dutch, French or German) at the expense of the organization (if it is not originally in one of the official languages).

Finally the Privacy Commission explained that although the GDPR does not specify the period during which the information in a record should be retained when a specific processing activity ceases, it could be beneficial for accountability purposes to keep that information with a mention of the period during which the processing was carried out.

William RM Long

London

wlong@sidley.com

Geraldine Scali

gscali@sidley.com

Thomas Fearon

tfearon@sidley.com

You might also like
U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.