The Belgian Privacy Commission (the “Belgian DPA”) recently released a Recommendation (in French and Dutch) regarding the requirement to maintain internal records of data processing activities (the “Recommendation”) pursuant to Article 30 of the EU General Data Protection Regulation (“GDPR”).
The Recommendation aims to provide guidance to data controllers and data processors in establishing and maintaining internal records by May 25, 2018. As of that date, the internal records requirement must be complied with, and the Belgian DPA must be able to request that such records are made available to it.
Key takeaways from the Recommendation are summarized below:
- Responsibility in maintaining internal records. The obligation to maintain internal records applies both to data controllers and data processors (or their representatives, if the data controller or processor does not have an establishment in the European Union). The requirement to maintain internal records does not apply, however, to companies or organizations with fewer than 250 employees, unless (1) their data processing activities are likely to result in a risk to the rights and freedoms of individuals, (2) the processing is not occasional, or (3) the processing includes sensitive personal data or personal data relating to criminal convictions and offenses. Despite these exceptions, the Belgian DPA recommends that all controllers and processors maintain internal records. With respect to SMEs, however, the Belgian DPA is not opposed to the creation of internal records only for regular processing activities, and not for occasional processing activities.
- Aim of such requirement. Maintaining internal records is a cornerstone of the accountability regime under the GDPR. Internal records must be made available to supervisory authorities. The requirement to maintain internal records replaces the requirement to file national registrations of data processing activities, which often was seen as inefficient and burdensome for companies. In this respect, the Belgian DPA notes that existing national registrations that were previously filed might be, to a certain extent, useful in creating internal records. However, companies must be aware of the differences between internal records and existing national registrations. Among others differences, the Belgian DPA notes that the obligation to file national registrations was applicable only to data controllers, and not to data processors.
- Content of internal records. Internal records must cover all processing activities carried out on May 25, 2018, whether such processing activities were previously or recently initiated.
- Internal records maintained by data controllers must contain the following information: (i) name and contact details of the controller and where applicable, joint controller and the controller’s representative; and (ii) name and contact details of the data protection officer (the “DPO”), if any (this does not exempt the data controller from the requirement to notify supervisory authorities of the name and contact details of the DPO); (iii) clear and detailed information regarding the purposes of the processing; (iv) a description of the categories of data subjects; (v) a description of the categories of personal data; (vi) the categories of recipients, whether internal or external, including recipients in third countries or international organizations; (vii) information about data transfers to a third country, including the identification of such third country, and where applicable, the documentation of suitable safeguards; (viii) envisioned time limits for erasing the data, or, according to the Belgian DPA, the criteria used to determine the retention period; and (ix) a general description of technical and organizational security measures implemented.
- Data processors, on the other hand, must maintain internal records containing the following information: (i) name and contact details of the processor and where applicable, the processor’s representative; (ii) name and contact details of each controller on behalf of which the processor is acting, and where applicable, the controller’s representative; (iii) name and contact details of the data protection officer (if any); (iv) categories of processing carried out on behalf of each controller; (v) information about data transfers to a third country, including the identification of such third country, and where applicable, the documentation of suitable safeguards; and (vi) a general description of technical and organizational security measures implemented.
According to the Belgian DPA, nothing prevents controllers and processors from including other information in the internal records. In that respect, controllers and processors could take their past national registrations into account. In addition, the Belgian DPA recommends that controllers and processors consider including in internal records information about applicable legal basis, data protection impact assessments, and personal data breaches.
- How to establish internal records. These records must be in writing and available in electronic form, and must be clear and understandable. The Belgian DPA recognizes some flexibility with respect to the format used to maintain the records. In addition, internal records must be kept up-to-date and the Belgian DPA recommends that controllers and processors keep them for accountability purposes, taking into account applicable statutes of limitation. The Belgian DPA also recommends that, in creating internal records, controllers and processors involve each member of their personnel working at an operational level who are capable of identifying the relevant processing activities.
- Recipients of the internal records. Upon request, controllers and processors must make such records available to the supervisory authority. The Belgian DPA, however, notes that internal records are not intended to be viewed by data subjects or the general public.
- Sanctions. The Belgian DPA states that failure to comply with the obligation to maintain internal records may result in an administrative fine of up to 10,000,000 EUR or 2% of the company’s global annual turnover, whichever is higher.