The processing registers that governments are required to keep under the General Data Protection Regulation are poorly accessible. This is according to a study by Open State Foundation, which requested these registers from all Dutch ministries, provinces and municipalities. One in five governments publishes these registers, almost two-thirds of the registers are not yet complete, and the registers look different at all governments.
Since May 25, 2018, the General Data Protection Regulation (AVG) has been in effect. The AVG places the onus on organizations to demonstrate compliance with privacy regulations. One of the new obligations this has placed on an organizations is to keep what is known as a processing register.
Establishing a register of processing activities (processing register) is often a mandatory measure under the General Data Protection Regulation (GDPR). Whether an organization must establish a processing register depends on the size of the organization and the type of data the organization processes.
Organizations with more than 250 employees are always required to keep a processing register. The situation is different for organizations with fewer than 250 employees. These organizations are only required to have a processing register if one or more of the following situations apply:
Processing of personal data is not incidental. In practice, however, processing is rarely incidental. After all, almost all organizations process personal data of employees, clients, customers, members, patients or residents.
Processing personal data poses a high risk to the rights and freedoms of the individuals whose personal data you process.
The organization processes personal data that fall under the category of special personal data. This is the case, for example, if sensitive personal data are processed, such as data on religion, health and political affiliation or criminal data.
In practice, the above conditions mean that almost every organization is required to keep a processing register.
The (processing register contains information about the personal data an organization processes. The organization may decide for itself how the register is drawn up. However, the AVG does prescribe what information an organization as a controller or processor must put in the processing register.
In the organization the one who decides whether, and if so, what data are processed, for what purpose and in what manner, then that organization is the controller. Each controller keeps a register of the processing activities that take place under their responsibility. That register shall contain all of the following information:
The name and contact details of the organization and, where appropriate, the data protection officer;
the purposes of the processing;
A description of the categories of data subjects (those whose personal data are processed) and the categories of personal data (e.g., name and address, BSN, financial data, e-mail addresses);
the categories of recipients to whom the personal data have been or will be disclosed, including recipients in countries outside the EEA, international organizations or processors;
transfers of personal data to a country outside the EEA or an international organization, including indication of that country or international organization;
The time limits within which the different categories of data are deleted;
A description of the technical and organizational security measures.
The processor is the person who processes personal data on behalf of and for the benefit of the controller, for example, an administrative office or a hosting provider. The processor keeps a register of all categories of processing activities they have performed on behalf of a controller. This register contains the following information:
the name and contact details of the processor and of each responsible party on whose behalf the processor acts and the data protection officer;
The categories of processing carried out on behalf of each controller;
transfers of personal data to a country outside the EEA or an international organization, including indication of that country or international organization;
A description of the technical and organizational security measures taken.
Because a processor typically also processes data from customers, suppliers, employees, etc., they must maintain two different processing records.
The register may be requested by the Autoriteit Persoonsgegevens. Each organization is obliged to cooperate with the supervisory authority and provide this register upon request for the purpose of using it for monitoring processing activities.
View the report'Examining the register of processing operations'
This article can also be found in the AVG file
