Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα
 

LOGO


Record of processing activities

One of the changes envisaged in the Regulation, which is specifically aimed at simplifying compliance measures and reducing bureaucracy, is to abolish the duty of data controllers to submit a Notification on the commencement of a processing to the Data Protection Authorities.

Despite this, Article 30 of the Regulation requires controllers and processors to keep an internal record of processing activities. The record of activities is kept by data controllers or processors and it is made available to the Commissioner on request. It should not be sent to the Commissioner unless requested. The record of activities must be kept electronically.

Who is obliged to keep Record of Processing Activities?

The obligation lies with organisations that operate as data controllers or data processors. The controller is the person who determines the purpose and the means of processing. He can be a natural or a legal person. For enterprises, the controller is usually the owner or the managing director. However, it cannot be excluded that the data controller could be an employee, who decides on the purpose and manner of one or more processing operations. The processor is a person outside the organisation, to whom the controller assigns a processing operation, who acts on the instructions and on behalf of the controller.

For instance, if a company decides to come into contract with a cloud service provider, this contractor shall act as data processor. In the case where there are joint controllers, the record of activities should be kept by each of them, as per their particular involvement. If an organisation is based outside the European Union (EU) but offers goods or services to persons within the EU, or monitors their behaviour, then it is obliged to appoint a representative in the EU. In such a case the representative of the organisation shall be responsible for keeping the record of activities.

If a company has an establishment in Cyprus or is a member of a group of companies, which has its main establishment in Cyprus, it is recommended that the Record is kept in cooperation with other companies of the group engaged in the same or similar activities.

Who is not obliged to keep Record of Processing Activities?

The obligation to keep a record of processing activities does not apply ‘to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.’ (article 30(5) of the GDPR).

However, it should be underlined that the wording of Article 30(5) is clear in providing that the three types of processing to which the derogation does not apply are alternative (“or”) and the occurrence of any one of them alone triggers the obligation to maintain the record of processing activities. Therefore, although endowed with less than 250 employees, data controllers or processors who find themselves in the position of either carrying out processing likely to result in a risk (not just a high risk) to the rights of the data subjects, or processing personal data on a non-occasional basis, or processing special categories of data under Article 9(1) or data relating to criminal convictions under Article 10 are obliged to maintain the record of processing activities.

For example, a small organisation is likely to regularly process data regarding its employees. As a result, such processing cannot be considered “occasional” and must therefore be included in the record of processing activities. Other processing activities which are in fact “occasional”, however, do not need to be included in the record of processing activities, provided they are unlikely to result in a risk to the right and freedoms of data subjects and do not involve special categories of data or personal data relating to criminal convictions and offences.

More information is available in the Position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR.

What is the usefulness of keeping a Record of Processing Activities?

The completion of this Record serves multiple purposes.

First, an organisation is obliged to make available the Record to the Commissioner, if she asks for it.

Second, it helps answering questions such as who am I, what am I doing, how do I do it and why am I doing it. It is a tool of self-understanding and self-assessing compliance with the Regulation.

Third, it helps in adopting a privacy policy, if an organisation is required to have one.

Fourth, it helps an organisation conform to the Principles of Accountability and Transparency.

Fifth, it helps in formulating a policy or setting up mechanisms for exercise of data subjects’ rights.

Many organisations ask what they have to do in order to be in compliance with the Regulation and where to start from. The completion of this Record is recommended as a first step. Its proper and full completion will help the organisation to identify certain obligations stemming from the Regulation, which must be met with. The completion of the Record of Processing Activities is not a static process. It is a continuous one, since the Record must be updated when an existing processing activity changes or a new one is added. Keeping this Record is recommended even to organisations that are not obliged to keep it, since it is a useful tool for compliance with the Regulation.

What information should be kept in the Record of Processing Activities?

That record shall contain all of the following information:
  • the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
  • the purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Who in charge of preparing the record of activities?

As stated above, the responsibility of keeping the Record lies, depending on the case, with the controller and the processor or their representatives, if any. However, they may delegate this task to one of their employees or to an external expert.

If the organisation is obliged to appoint a Data Protection Officer (DPO), it is recommended that the record is prepared by the DPO. In each case, the person undertaking this task must have a full picture of all the activities of the organisation. If he/she is an employee of the organisation, it is recommended that he/she is a high-ranking rather than low-ranking member, since he/she must be in continuous contact with the management and must have access to all the departments of the organisation, in order to record all the personal data processing activities. If the DPO is an external associate, the organisation must provide him/her with the necessary facilitation for the proper preparation of the record.

An administrative sanction or an administrative fine may be imposed on an organisation for not properly completing the Table. These are imposed on the organisation and not on the person who prepared the record.

The person who is in charge of preparing the record does not necessarily have to be a lawyer or an IT. Nevertheless, he must have knowledge of the Regulation and all the legislations that the organisation applies or are applicable in the organisations’ field of activity, and must also have , at least, an elementary IT knowledge.

In what language must the record be kept?

In principle, the record must be kept in the Greek language. However, it is recommended that the Table or at least column 12, is also kept in English by organisations that carry out cross-border processing operations or operate in several EU Member States, or provide information society services to children or provide information to data subjects through their website or have a mechanism available on their website for the exercise of the rights of data subjects. In each case, the information provided to the clients, associates or employees of an organisation must be transparent and intelligible, in easily accessible form, using clear and plain language.

Any other practical advice?

There may be a department or an individual averse to sharing information with other departments or colleagues about what it is done, how and why, or averse to sharing adequate information easily. An employee may feel that by communicating information to his colleagues he might compromise his position.

It is suggested that the person who undertakes the completion of the Table has the ability to tackle such problems. In order to prepare the record, the person undertaking this task may need the assistance of organisation’s IT and legal consultants. It is suggested that the person who undertakes the completion of the Table is endowed with communicative skills, so as to be able to convey technical issues to lawyers and legal issues to ITs respectively.

How to prepare the record of activities?

The Commissioner has developed a basic template in the form of a table (in Greek and English) to help you keep the record of activities. The Guide provides guidance and helps in completing the Table.





Κατεβάστε το αρχείο τύπου Excel Copy of Αρχείο Δραστηριοτήτων.xlsx

Κατεβάστε το αρχείο τύπου Acrobat Guide - Record of activities ENG.pdf

Κατεβάστε το αρχείο τύπου Acrobat PositionpaperArt30.pdf

Κατεβάστε το αρχείο τύπου Excel Record of Activities Template ENG.xlsx


Back To Top