Record of Processing Activities
Some companies are required to establish a Record of Processing Activities in accordance with GDPR
It is a requirement that some companies must establish a Record of Processing Activities list according to GDPR. This means that the company must document its personal data processing.
Not all companies need to create a Record of Processing Activities in accordance with GDPR
Not all companies need to create a Record of Processing Activities (ROPA). As a general rule, companies with more than 250 employees must draw up a Record of Processing Activities. However, companies with fewer employees may also need to do so.
Companies with fewer than 250 employees must create a Record of Processing Activities if the processing activity:
- Is regular and therefore does not refer to a temporary processing.
- Is likely to result in a risk to the rights and freedoms of data subjects.
- Includes special categories of data pursuant to Article 9(1) of the GDPR.
- Includes personal data relating to criminal convictions and offences under Article 10 of the GDPR.
Keep in mind that companies with fewer than 250 employees who carry out a processing activity that requires to be registered in a Record of Processing Activities, do not have to register all their personal data processing operations. Only those processes that meet any of the above requirements need to be documented in the record. This is different from the larger companies with more than 250 employees, which have to document all their processing operations in the Record of Processing Activities.
Must be in writing and available electronically
Companies that need to establish a Record of Processing Activities must do so in writing in accordance with Article 30 of the GDPR. In addition, the record shall be available in an electronic format. For example, through an Excel file. If the national data protection authority requests access to it, the company shall provide it.
Examples of what should be included in a Record of Processing Activities of controllers
Contact details
The contact details of the controller. If the company has a data protection officer, his or her contact details must also be stated.
Purpose
The purpose of the processing.
Categories
The categories of personal data to which the processing relates, such as sensitive or other privacy-sensitive personal data. The same applies to categories of data subjects, such as children or other groups worthy of additional protection.
Recipient
Who the company discloses the personal data to. For example, a processor, special internal departments or other employees.
Transfer to a third country
If the company transfers the persons to a third country, i.e. a country outside the EU/EEA area, this must be stated. That third country should also be noted.
Duration of processing
How long the personal data will be processed.
Security measures
It is good to also include a description of the technical and organizational security measures that the company takes to protect the personal data.
Examples of what should be included in a Record of Processing Activities of processors
Contact details
The contact details of the processor shall be stated in the record. The same applies to each controller from whom the processor has received a processing order. If the processor has a data protection officer, the contact details of the data protection officer must also be stated.
Categories
The categories of personal data to which the processing relates, which the processor carries out for the controller.
Transfers to third countries
Information on any transfer of personal data to an operator in a third country; That is, a country outside the EU/EEA area.
Security measures
The Record of Processing Activities should include a description of the technical and organisational security measures taken by the processor to protect the personal data, where possible to specify them. Examples of technical and organizational security measures that the processor can take are the use of antivirus protection, multi-step authentication when logging in, encryption, internal procedures, data processor agreements, etc.
Learn more
Conclude a Data Processing Agreement
When a controller engages a processor, they shall enter into a Data Processing Agreement (DPA) with each other. Please note that the agreement must be in writing, as it is a formal requirement under the law. The DPA regulates the relationship between the parties to the agreement, as well as what the processor may or may not do with the personal data.