Records of Processing Activities under GDPR
Companies use various kinds of key performance metrics to analyze their business in areas such as marketing, sales, customer success, human resources, finance, or IT. Establishing records of processing activities through a RoPA activity can streamline and connect all of these. All companies are expected to declare in their privacy notice the purposes they use to share personal information of their customers and data subjects. The RoPA creates the opportunity for transparency among teams and alignment for their business processes and consistent use of personal data.
What is Article 30 of the GDPR?
Article 30 requires each company that is a controller under the scope of the GDPR to maintain “Records of Processing Activities” (also referred to as RoPAs) in written and electronic form which create a comprehensive overview of the company’s personal data-processing activities. Each processor shall also maintain a record of all categories of processing activities carried out on behalf of a controller. The RoPAs should show why and how data is being processed. These records shall be made available to the supervisory authority upon their request.
What are processing activities under GDPR?
The term “processing activity” is not actually defined under the GDPR which means it may be unclear what is to be documented and to what level of detail. In general, the GDPR instructs to record the sequence of through which personal information of employees or consumers / data subjects travels within or outside of the company as well as the “legal basis” or purpose (defined under Article 6 of the GDPR) for collecting, using, and disclosing this personal information.
Records of Processing Activities under the GDPR
The required content of the record of processing activities is detailed Art. 30 GDPR. In addition to the name and contact details of the company and of the data protection officer (DPO), if any, the following information must be provided for each processing activity:
Purpose of the processing – why you use the personal data
Category of the individual – employee, customer, etc.
Categories of data processed – contact, financial, health, etc. – particularly if any special categories
Group of persons to whom the processed data relates (data subjects)
Recipients of the data whom you share it with
Information on transfers to countries outside the EU/EEA/UK
Data retention schedules
Description of technical and organisational security measures / safeguards for protecting
Of note, you must have a valid lawful basis (legal basis) to process data. It is helpful to also note this in your RoPA.
Legal basis(s) according to Art. 6 GDPR on which the processing is based, in the case of “balancing of interests” additionally the legitimate interests (information is required for data protection notices according to Art. 13 para. 1 lit. c and d GDPR).
Article 30 GDPR Processing Activity Examples
Examples of processing activities for employees might include the following.
Use of special software or devices with which employee data is recorded, stored or evaluated (e.g., recruiting and hiring system, payroll system, timekeeping system, digital personnel files, electronic door access card system, video security surveillance).
Standardised internal processes in which employee data are continuously or systematically collected, stored or used (e.g., handling of job applicant data, background checks, drug tests, administration and processing of training, payroll accounting, employee e-mail newsletter).
How does Article 30 of the GDPR affect my business?
Article 30 of the GDPR requires that companies with more than 250 employees must maintain an internal record of processing activities and have it available in case a supervisory authority requests to review those records.
Before a company may set about maintaining a ROPA or documented record of processing activities, first they must determine what type of personal data it processes, where the data is stored, how the data moves through and outside of the company. This lays the groundwork for complying with other areas of the GDPR such as Article 6, establishing a legal basis for processing; Article 7, conditions and requirements for obtaining consent; and Article 13, requirements to disclose these details in your public facing privacy notices. These are the foundation for compliance with the GDPR.
Are Article 30 GDPR Templates available?
There are many Article 30 GDPR templates available online. Software such as 2B Advice PrIME will have catalogues or templates included to help you with the process by creating easy to answer online surveys which may be routed for easy completion.
For example a ROPA questionnaire might ask these questions:
- Why do you process personal data?
- Whose data do you process?
- What kinds of or categories of data do you process?
- With whom do you share this data?
- How long do you store the data/when do you delete this data?
- What measures do you use to protect this data?
- With what third parties or vendors do you share this data with?
These questions should be answered by internal departments and business units which may be likely to process employee or customer data.
Article 30 GDPR Checklist: How to Comply
Before a company may set about maintaining a RoPA or documented record of processing activities, first they must determine what type of personal data it processes, where the data is stored, how the data moves through and outside of the company. This lays the groundwork for complying with other areas of the GDPR such as Article 6, establishing a legal basis for processing; Article 7, conditions and requirements for obtaining consent; and Article 13, requirements to disclose these details in your public facing privacy notices.
1. Develop a standard questionnaire template for the data privacy impact assessment
2. Establish consistent guidelines and approaches for such important areas such as data retention or technical and organizational measures
3. Establish risk thresholds to identify areas for improvement
4. Verify that all data processes have a valid legal basis
5. Update the privacy notice accordingly
6. Maintain the electronic ROPA on a regular basis
These are some of the initial steps to get a company on the road to compliance. Other factors may include conducting third party vendor assessments, or conducting employee training to remedy areas of high risk of non-compliance.
What happens if you break Article 30 GDPR rules?
Supervisory authorities are empowered to impose significant administrative fines on data controllers and processors. They may be imposed for a wide variety of issues, including purely procedural infringements such as non-compliance with Article 30 GDPR which could carry administrative fines up to €10,000,000 or up to 2% of global turnover, whichever is higher.
How does the new California CPRA requirement compare to Article 30 GDPR?
One of the CPRA’s most impactful provisions, 1798.185(a)(15), is similar to Article 30 GDPR in that it requires businesses to conduct annual cybersecurity audits and “regular” risk assessments if the business’s “processing of consumers’ personal information presents significant risk to consumers’ privacy or security.” In determining whether the processing “may result in significant risk to the security of personal information,” the CPRA identifies two factors to be considered: (1) the size and complexity of the business; and (2) the nature and scope of processing activities.
The primary difference is that CPRA also requires that the company submit to the California Privacy Protection Agency (CPPA) on a regular basis a risk assessment with respect to their processing of personal information.
Closing Thoughts: What should you do next about Article 30?
If you are expanding into Europe, acquiring or merging with a company in Europe, or your company is based in Europe and you want to move from managing your RoPA on a spreadsheet to an integrated, privacy compliance management system, 2B Advice can help. Our robust 2B Advice PrIME software was developed in Germany, at the heart of the privacy culture, and has been designed to meet the most rigorous requirements of the GDPR and European Supervisory Authorities.
Call us today for a consultation.
How We Can Help
Telemedicine Certification: Digitization of medical care through virtual home visits calls for attention to privacy and securityWhen Is a Data Protection Officer Required?
Companies are required to appoint a Data Protection Officer. The question is which companies are affected? When do you need to do this?Opt In vs. Opt Out
There is changing viewpoint over the practices of opt-in and opt-out email marketing. Here we explain the difference between opt-in & opt-out and what is the preferred approach today.