Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
The General Data Protection Regulation (GDPR) applies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system.
Personal Data Processing Activities, under the GDPR, are written or digital records containing documentation and an overview of procedures by which personal data are processed. Records of processing activities must include significant information about data processing, including data categories, the group of data subjects, the purpose of the processing and the data recipients. This must be made available to authorities upon request.
The obligation to create records of processing activities is not only imposed on controllers and their representatives, but also directly on processors and their representatives.
Companies or institutions with fewer than 250 employees are exempt from keeping a record, if the processing is not likely to pose a risk to the rights and freedoms of the data subject, if no special categories of data are processed or if the processing is done only occasionally.
In practice, this exemption is rarely applicable. Apart from any difficulties which occur during the interpretation of what is considered “only occasional,” in most companies – even with a broad interpretation of the term – data will unambiguously be processed regularly, including data processing for the website, their web shop, salary calculation or CRM systems. One must note that the obligation for documentation and therefore records of processing activities will be a focus of authorities’ inspections of the implementation of the Data Protection Regulation.
If a company does not maintain records of processing activities and/or does not provide a complete index to authorities, they are subject to fines according to Art. 83(4)(a) of the GDPR. The possible fines can be up to 10 million euros or 2% of their annual turnover. This total is, as a rule, only assessed by the authorities in exceptional cases. For this, the authorities are encouraged, as set forth in recital 13, “to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.”
SENTINEL will help you document your organisation's processing activities and store permanent copies of them in the ROPA.
Sources: