The Autoriteit Persoonsgegevenss processing register.

 

Modified template

What is immediately noticeable is that the components and layout of the register have changed in their entirety. In the previous version of the register, the Autoriteit Persoonsgegevens (AP) used the template of the Belgian supervisor.(2) It seems that the AP has not used this in the current version. The current register contains a lot fewer fields that can/must be filled in per processing. In addition to the mandatory sections from Article 30 General Data Protection Regulation (AVG), only the basis is included as an additional field. The optional field (the AVG uses the words 'if possible') regarding the technical and organizational measures taken has not been included by the AP. Instead, the AP has included a comment field referring to the Privacy Policy.(3) Since there is no international transfer of personal data, the AP has also included this as a comment field.

Content

The content of the registry has also changed significantly. Or rather, in my opinion, the AP has started over. A comparison between the two registers does not reveal any processing operations that have been copied one-to-one. The number of (business) sections has changed from 13 to 5. The number of processing operations has also been reduced: from 109 to 86. The 86 processing operations are divided among 60 (statutory) tasks. In the first version of the register, the processing operations were a combination of process-level and task-level processing. The current register is built from the (legal) task of the AP. We no longer see processing like "contacts on iPhones. In terms of processing of personal data, the AP's (legal) task can be very simple/clear (almost at the process level) and sometimes the processing of personal data is more general. Examples of specific tasks are:

• Drafting policy rules: liaise with the editorial office of the Government Gazette.
• Request register of processing activities: liaise with controller/processors.
• Determining whether there is a staff member of the AP i.e. UWV claims, verifying settlement of UWV claims.

Tasks formulated more generally:

• Personnel and payroll administration: execution of employment contract, administration duty tax laws.
• Liaise with proposers and EU colleagues.
• Exercise investigative powers and conduct exploratory investigations.

All in all, in my opinion, the quality of the register has greatly improved. It is now much clearer to me what tasks the AP has, what purposes are associated with them and what personal data are processed for this purpose.

What can we learn from the AP's registry?

Five aspects that I think we can learn from:

• Go practical in filling in the categories of personal data if not determinable: all possible categories of special personal data, description issue.
• Cluster processing operations so that there is consistency. For example, the AP has included multiple processing operations in some tasks. For example, the task "act as a point of contact FG'she has as processing operations.
• • Organize conferences and meetings for FGs;
  • written and telephone advice to FGs;
  • Maintain registry of FGs;
  • Send newsletter for FGs.
• Cluster processing operations so that there is consistency. For example, the AP has included multiple processing operations in some tasks. For example, the task "act as a point of contact FG'she has as processing operations.
• Include the basis as an additional field in the register. And if a processing has multiple purposes, specify which partial processing the basis relates to.
• Choose a unified perspective to create the registry. The AP was guided by its primarily statutory duties and divided this into five (business) components.
• The AP has (only?) eight processing operations for business operations. This number provides insight into the number of processing operations an average SME organization has in the HRM area.

Error

It does appear that another error has crept into the processing register. When processing 'contract management, maintaining contact with IT vendors' is as the basis 'nacoming of the agreement' included. However, this basis can only be used if the data subject is an independent contracting party. Article 6(1)(b) AVG states the following: "The processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract." The data subjects in this processing are employees of the AP's IT service providers. IT contracts are concluded between two legal entities, the employees of these legal entities are not involved parties in this agreement. The appropriate basis for this processing is Article 6(1)(f): "The processing is necessary to satisfy the legitimate interests of the controller." The basis "performance of contract' can be used if the IT service provider is self-employed. This is unlikely to be the case in this instance.

Conclusion

I believe that the AP's register has been greatly improved. It contains a clear overview of all the AP's (statutory) tasks and the personal data processed therein. Creating an accurate and complete processing register is a difficult task. We all started enthusiastically in 2018 to prepare the processing register in order to meet the May 25, 2018 deadline, we learned a lot and may have come to the conclusion in the meantime that the quality can be greatly improved. This is not a bad thing, we all had to learn, including the AP. As I also wrote in my previous blog, having a processing register should not be an end in itself, the processing register should instead help the organization take the next step in protecting personal data. View the AP's current processing registry View the AP's old processing registry

Footnotes

(1) https://www.auditconnect.nl/nl/overons/Nieuws/201906/verwerkingsregister-autoriteit/ (2) https://www.gegevensbeschermingsautoriteit.be/model-voor-een-register-van-de-verwerkingsactiviteiten (3) /cms/files/2020-04/privacybeleid-ap-okt-2019.pdf This article can also be found in the files Accountability and AVG