Privacy: Dutch Data Protection Authority makes five recommendations for records of processing activities

Mr R. (Ramses) de Leeuw I 7 December 2018 I Reading time: about 3 minutes

On 28 November 2018, the Dutch privacy watchdog, the Dutch Data Protection Authority (Dutch DPA), made five concrete recommendations for the so-called record of processing activities.

A record of processing activities is – in short – an (internal) record in which companies or organisations keep the most important information about the processing of personal data that takes place under their responsibility. ‘Processing’ includes all actions an organization can perform with personal data, such as in any case collecting, organizing, consulting, storing, transmitting and erasing data. In practice, a proper record of processing activities is the basis for other privacy documents that a company or organisation may need to maintain, such as privacy statements and processing agreements.

Maintaining a record of processing activities is compulsory under Article 30(1) of the GDPR, unless the company or organisation in question employs less than 250 persons. However, this exception for small enterprises or organisations does not apply if one of the three following grounds for exception occurs:

  • the processing is likely to result in a risk to the rights and freedoms of data subjects; or
  • the processing is not occasional; or
  • the processing of special categories of personal data or data relating to criminal convictions or criminal offences is involved.

Recommendations of the Dutch Data Protection Authority

Based on an exploratory study among thirty large organisations from ten private sectors, the Dutch DPA makes the following five concrete recommendations on its website:

  1. Indicate how long and for what purpose you want to store personal data. European privacy legislation does not allow personal data to be stored longer than necessary for the purpose for which they were collected. Organisations should also be able to motivate why they collect these data.
  2. Include the contact details of the data controller in the record.
  3. Provide a clear file of all processing of personal data in which users can easily navigate.
  4. Clearly indicate the location or file where personal data is stored and include these locations or files in the registry. This information is relevant when people submit a request for access or erasure.
  5. Make clear which purpose belongs to which processing. It is not enough simply to enumerate the processing operations by department in combination with an enumeration of the various purposes of the processing operations.

It is striking that the Dutch DPA’s recommendations seem to go further than the text of the GDPR on certain points. In its first recommendation, for example, the Dutch DPA seems to require that the period of retention of personal data be specified. However, the GDPR only requires retention periods ‘where possible’ (article 30(1) opening words and under f GDPR). A number of recommendations seem to be mainly practical in nature, and – the term ‘recommendation’ is telling – not so much an interpretation, including a binding interpretation of the GDPR. Nevertheless, companies and organisations would do well to adopt the practical recommendations of the Dutch DPA as much as possible.

As said before, the record is the basis for compliance with privacy regulations. The quote of Dutch DPA Chairman Aleid Wolfsen on the recommendations in this context is also significant:

“The quality of the record of processing operations enables the Dutch DPA to make a sound assessment. Does that record suffice? Then it gives an impression of how an organisation complies with the new European privacy rules.”

This shows that the Dutch DPA – rightly – attaches great importance to the quality of the record of processing activities.

If you have any questions about this article, please contact Mr R. (Ramses) de Leeuw.

Follow Schaap Advocaten Notarissen on LinkedIn.