Jul 212017

The Belgian Data Protection Authority Publishes Guidance on Records of Processing Activities Under the GDPR

William RM Long, Geraldine Scali and Thomas Fearon
, , , ,

The Belgian Commission for the Protection of Privacy (“Privacy Commission”) has recently published guidance on Article 30 of the GDPR which contains the obligation for data controllers and processors to record their processing activities.

This record will have to be up-to-date by 25 May 2018 and readily made available to the regulator should it ask to view it.

In its guidance the Privacy Commission goes into a large amount of detail regarding what information the record should contain, namely:

  • The name and contact details of the data controller (and joint controller), its representative and its data protection officer.
  • The purpose of each processing activity. The Privacy Commission explains that any general description (e.g. HR administration) will have to be completed by more specific descriptions. The Privacy Commission recommends the use of the existing list of purposes contained in the explanatory note of the current notification form as an example.
  • The categories of data processed (e.g. identification data (including national security number), financial data, employment data, recordings of images and sound, etc.). The Privacy Commission recommends that sensitive personal data is identified as such in the record.
  • The type of data subjects concerned by the processing activities (e.g. employees, clients, suppliers).
  • Categories of recipients to whom the personal data is being disclosed, including whether they are located inside or outside the EEA and whether they are internal or external to the processing organisation (tax authorities, business partners, social security, police, etc.). The Privacy Commission specifies for data sent outside of the EEA that  the country to which data is routed needs to be named in the record, the competent authority needs to be warned of the transfer, and appropriate safeguards need to be put in place to protect the data (with a contract for example, a copy of which should be inserted in the record). Data can only be transferred outside the EEA for a compelling, legitimate interest of the organisation.
  • How long data will be kept before erasure. The Privacy Commission acknowledges that recording an estimate of days, months or years may not be appropriate; instead, recording parameters such as time needed to manage disputes or the expiration of a limitation period may be best-suited.
  • The technical and organisational measures taken to ensure a level of security appropriate to the risk.

The Privacy Commission also explains that only information relevant to the processing activities must be recorded by data processors.

The GDPR contains an exemption to the recording obligation for organisations employing fewer than 250 people (SMEs) unless the processing carried out:

  • is likely to result in a risk to the rights and freedoms of data subjects;
  • is not occasional (examples of non-occasional processing activities given by the Privacy Commission are those relating to client management, employee management and supplier management); and
  • includes sensitive data.

The Privacy Commission recommends that all data controllers and processors maintain a record of processing activities (but only those relating to non-occasional processing for SMEs).

The Privacy Commission does not in its Guidance impose a specific format for the record. However, it has reserved the possibility to set a standard format which would form the basis of the record. This would be helpful for processing organisations and align with activities of other European regulators such as the French CNIL which recently issued a standard cross-sector template record. Ideally an EU-wide template should eventually be created by the Article 29 Working Party so that multinational processing organisations do not have to prepare country-specific records.

The Privacy Commission insists on the fact that the record must be a live document that should constantly be updated taking into account any new processing activity of the organisation. It should however be in writing and available in electronic format in any language with the possibility for the Privacy Commission to request a translation of the record in one of the Belgian official languages (i.e. Dutch, French or German) at the expense of the organization (if it is not originally in one of the official languages).

Finally the Privacy Commission explained that although the GDPR does not specify the period during which the information in a record should be retained when a specific processing activity ceases, it could be beneficial for accountability purposes to keep that information with a mention of the period during which the processing was carried out.

William RM Long

London

wlong@sidley.com

Geraldine Scali

gscali@sidley.com

Thomas Fearon

tfearon@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.