The General Data Protection Regulation (AVG) lists a number of mandatory measures that will help you meet your accountability obligations.
One of these mandatory measures involves keeping a register of processing activities (Art. 30 AVG: processing register). Establishing a processing register is often a mandatory measure under the AVG. Whether you need to establish a processing register depends on the size of your organization and the type of data you process.
Does your organization have more than 250 employees? If so, you are required to keep a processing register.
Does your organization have fewer than 250 employees? Then you must have a processing register if one or more of the following situations applies to you:
Processing of personal data is not incidental.
In practice, processing is rarely incidental. Consider, for example, the personal data of employees that you process. Or of your customers, clients, patients or residents.
You process personal data that pose a high risk to the rights and freedoms of the individuals whose personal data you process.
You process personal data that falls into the category of special personal data. For example, data on religion, health and political affiliation or criminal data.
Is your organization a data controller? If so, the register must consist of the following components.
Name and contact information
The name and contact information of:
your organization or your organization's representative;
Any other organizations with whom you have jointly established the purposes and means of processing;
The data protection officer (FG), if you have appointed one;
Any international organizations with which you share personal data.
Purposes
The purposes for which you process personal data. For example, for recruitment and selection of staff, delivery of products or direct marketing.
Data subjects
A description of the categories of persons whose data you process. For example, benefit recipients, customers or patients.
Personal Data
A description of the categories of personal data. Such as the BSN, name and address information, telephone numbers, camera images or IP addresses.
Retention period
The date you must delete the data.
Recipients
The categories of recipients to whom you provide personal data.
Outside EU
Do you share data with a country or international organization outside the EU? If so, you must indicate this in the processing register.
Security
A general description of the technical and organizational measures you have taken to secure the personal data you process.
In addition, it is useful to record additional data in the register so that it can serve as a basis for the further privacy design of the organization. This is possible if the register provides insight into which personal data are processed within which processes and in which systems, with whom these data are exchanged and how they are secured.
This understanding is gained by recording in the registry some additional aspects, such as:
In which processes personal data are processed.
What type of personal data this is(regular, sensitive, special).
In what systems that data is processed.
If you know where, in what processes and systems what data is being processed, then you also know where to focus security, it can help you determine actions to take in the event of a data breach and helps you comply with data subject rights.
Is your organization a processor?
If your organization is a processor, the following information must be in your processing records:
Name and contact information
The name and contact information of:
your organization, or your organization's representative, or the processing controller;
The data protection officer (FG), if you have appointed one.
Processes
A description of the categories of processing you perform on behalf of each controller.
International transfer
Any international organizations with which you share personal data.
Outside EU
Do you share data with a country or international organization outside the EU? If so, you must indicate this in the processing register.
Security
A general description of the technical and organizational measures you have taken to secure the personal data you process.
Back to file Accountability
