Are you obliged to maintain a “record of processing activities”?

As from the entry into force of the GDPR on 25 May 2018, many companies will be obliged to maintain a record of all processing activities which are carried out under their responsibility. This requirement will replace the obligation to notify these processing activities to the Privacy Commission.

1. Who is obliged to maintain a record?

The obligation to establish a record containing the processing activities applies to:

  1. companies employing 250 or more persons;
  2. companies carrying out processing activities likely to result in a risk to the rights and freedoms of data subjects;
  3. companies processing sensitive information (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation);
  4. companies that do not just occasionally process personal data.

Concerning this last category, the question arises as to what is meant by a “not occasional” processing of personal data. A broad interpretation of this concept would mean that practically every company is required to maintain a record, since practically every company that employs workers frequently processes personal data. Just think about the processing required to manage human resources or prepare the payroll.

Because of this ambiguity, we asked the Privacy Commission for its view concerning the matter. The Privacy Commission seems to make a distinction between, on the one hand, the processing activities which at present must be notified to the Privacy Commission and, on the other, the processing activities that, under the Belgian legislation, are exempted from the notification requirement. Many frequently used processing activities, such as payroll and personnel administration, are exempted from this requirement. However, processing activities in the context of personnel administration concerning health, sensitive or judicial information or data concerning evaluations, are not covered by this exemption. This includes the evaluations of the worker and the information in preparation of these evaluations. These data are considered to be sensitive enough to be subject to the notification requirement.

The Privacy Commission clarifies that some processing activities covered by the current exemption scheme are not considered to be a threat to the privacy of the person involved. Based on this position – and, by analogy with the current exemptions to the notification requirement – it is likely that the Belgian legislator will determine that the employer is not required to maintain a record with regard to these processing activities in the context of payroll and personnel administration, provided that the company employs fewer than 250 workers.

Regardless of whether the company is covered by the obligation to maintain a record or not, we are of the view that every employer would be well advised to maintain a record, considering the “accountability” of the controller.

2. What should be in the record?

All processing activities carried out under the responsibility of the company must be included in a written or electronic record.

This record must contain all of the following information:

  • the name and contact details of the controller and, where applicable, the controller’s representative and the data protection officer;
  • the purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, where appropriate, the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the various categories of data;
  • where possible, a general description of the technical and organisational security measures.

3. Abolition of the obligation to notify the Privacy Commission

At present, companies are required to notify the Privacy Commission in advance with regard to all of their (completely or partly) automated personal data processing. This notification requirement, which is causing an administrative burden for companies, will cease to exist from 25 May 2018. As from its entry into force, the GDPR will abolish this notification requirement and replace it with the aforementioned obligation to maintain a record.

The record that will replace the notification requirement should be submitted at the request of the Privacy Commission, so that the Privacy Commission can oversee the processing activities.