GDPR: farewell declaration duty, welcome processing register. Privacy

GDPR: farewell declaration duty, welcome processing register. Privacy

An earlier newsflash introduced you to the general principles of the General Data Protection Regulation (GDPR). In this newsflash we examine in greater detail one of the GDPR’s entirely new obligations, namely the register of processing activities.

Elimination of the declaration duty 

Let´s start with the good news: as of the entry into force of the GDPR (25 May 2018) it will no longer be necessary to give the Privacy Commission advance notice of automated processing of personal data. So the declaration duty is set to disappear, and the Belgian law will still have to be adapted in this sense.

With this innovation, the GDPR wishes to take account of the rapid technological developments relating to the processing of personal data. This innovation also constitutes an administrative simplification. A publicly consultable data processing register currently exists on the Privacy Commission’s website, but in fact it is rarely consulted.

Introduction of the processing register

The elimination of the declaration duty is a good thing, but inevitably within the framework of the GDPR a new obligation is taking its place. As of 25 May 2018, each controller - and, where applicable, the processor - will have to keep a “record of processing activities” (art. 30 GDPR). In June of this year the Privacy Commission published an exhaustive recommendation on this processing register. This interesting recommendation clarifies a number of points about this documentation duty (see below).

Companies or organisations having fewer than 250 employees are exempted from the new obligation, unless they perform one of the following types of personal data processing:

  • processings that entail risks for the rights and freedoms of the parties involved (e.g. when the processing can result in discrimination or harm to reputation);
  • processings concerning personal data of a special category (e.g. health information or information relating to political opinions);
  • processings that include criminal-law convictions;
  • processings that are “not occasional”.

The GDPR does not define what is to be understood by processings that are "occasional". In the recommendation, the Privacy Commission clarified that an occasional processing takes place "incidentally or by chance". Processings relating to customers, suppliers and personnel management are not occasional. Such a broad interpretation means that virtually all companies have to keep such a register. The Privacy Commission doesn´t see this as a problem; the fewer processings a company performs, the simpler the register will be.

The register is a written (including electronic) document that must be drawn up by the controller and the processor. This register, which is continuously updated, must contain certain information about the processing that was performed. Amongst other things, the names and contact information of the controllers and processors must be mentioned, as well as the processing objectives and the categories of personal data.

Privacy Commission makes model available

In its recommendation, the Privacy Commission explained in detail what this register should look like. In the meantime, you can download a model from the Privacy Commission’s website.   

Serious sanctions

The controller or the processor will make the register available at the Privacy Commission´s request. If the Privacy Commission determines that no register is present, or if the register does not fulfil the conditions, this can be sanctioned by an administrative fine of up to 10 million euros or, for a company, to 2% of the total turnover of the previous financial year, if that amount is higher. It’s possible that the Privacy Commission won´t go down that road immediately, and will initially limit itself primarily to providing information. Nevertheless, it would be best to comply strictly with the obligations of the GDPR and the Privacy Commission´s recommendations.       

More about the GDPR in later newsflashes.

For more information on this topic, you can consult Dave Mertens, Sara Cockx and Sébastien van Damme (authors).