Skip to main content

GDPR: focus on the record of processing activities

Make IT Safe ·

Subject to controls at any time by the CNIL, companies, administrations and associations must be able to prove personal-data protection compliance at any time. To do so, they are required to maintain a record of processing activities that must be completed with precision and rigour. Its authors’ main goal is to comply with article 30 of the General Data Protection Regulation (GDPR) of the European Parliament and Council, which clearly describes every piece of information that needs to be logged.

Reminder: what is the record of processing activities?

The CNIL refers to it as a mapping of personal-data processing activities. It is a document that catalogues in detail every processing activity carried out on collected personal data. “Processing” means any operation or set of operations performed on personal data — collection, recording, organisation, structuring, storage, modification, extraction, use, communication or simple consultation.

The record can be prepared by different people: the direct controller, the DPO (Data Protection Officer) if one exists, or the processor. This document is not meant to be public. However, public-sector organisations must provide it to anyone who asks. Private organisations are not obliged to provide it but may choose to.

Supervisory authorities such as the CNIL can consult it easily when they want — during a simple compliance check, or following litigation such as a data breach. Maintaining this record answers the new accountability principle highlighted by GDPR.

How to build a record

Gather available information

  • Identify and meet the operational managers of the various services likely to process personal data
  • Analyse the website and identify the data collected in online forms
  • Use the list of processing activities declared to the CNIL under former company obligations
  • Refer to the various simplified standards drafted by the CNIL

Build the list of processing activities

  • List the different activities requiring personal-data processing
  • Use information gathered during interviews
  • Fill one record sheet per personal-data processing purpose

Refine and detail

  • Based on this record, identify and analyse the risks weighing on the data-processing activities in place
  • Build a GDPR compliance action plan
  • Update the record

The content of the record of processing activities

A properly completed record of processing activities is a sign of transparency and seriousness that can strongly impact brand image. The right information must be reported. To guide controllers in drafting, the CNIL offers simple guiding questions:

  • Who is the controller? Specify name and contact details, as well as those of the representative, DPO and processors if any.
  • Why is personal data collected? Notify every purpose very precisely (building an HR file, a supplier list, etc.).
  • Which categories of people are targeted (employees, customers, members, patients, etc.)? And which data categories are collected (names, contact details, ID photos, phone numbers, CVs, payslips, licence plates, consumption habits, IP addresses, etc.)?

Don’t forget to specify sensitive data.

  • Where will the data be located? What is its final destination and who will manage it? List every recipient.
  • Are there transfers outside the European Union? If so, specify recipient names and origin country.
  • What is the data retention period? Specify the deletion deadline, which may differ per category.
  • What security measures are in place to protect the data (prevent unauthorised access, limit breach risk, etc.)? Detail every technical and organisational measure deployed.

How often must the record be updated?

The record must be updated regularly based on functional and technical evolutions of data-processing activities. Any change in the implementation conditions of each processing activity logged in the record:

  • New data collected
  • Extended retention period
  • New processing recipient, etc.

Are there exceptions?

In principle, SMEs with fewer than 250 employees are not required to maintain such a record, except in certain cases:

  • If the processing activities are regular (building customer or HR files) and not occasional.
  • If the rights and freedoms of the people targeted by the processing activities may be threatened (risk of discrimination, etc.).
  • If the data collected is considered sensitive (medical, racial, political, religious or judicial information).

If at least one of these conditions is met, maintaining a record of processing activities is mandatory, even for small structures with fewer than 250 people.

Unfilled record: possible penalties

In case of simple omission, the CNIL can impose a financial penalty on the company that did not respect this GDPR clause. The penalty can reach up to 2% of global annual turnover. Public formal notices can also be issued against violators.

Related articles

9 best practices to strengthen cybersecurity in your company

9 best practices to strengthen cybersecurity in your company

Read →
AI Act: who is concerned, by what, and how to comply

AI Act: who is concerned, by what, and how to comply

Read →
Cybersecurity risk assessment: how to identify, evaluate and control threats to your company

Cybersecurity risk assessment: how to identify, evaluate and control threats to your company

Read →