Belgian DPA publishes recommendation on GDPR record keeping obligation | Fieldfisher
Skip to main content

Belgian DPA publishes recommendation on GDPR record keeping obligation

The Belgian Data Protection Authority published a recommendation on the records of processing activities which provides some helpful clarification as to how some of the practical implications of the records keeping obligation must be interpreted.

End of last week, the Belgian Data Protection Authority (the 'Privacy Commission') published a recommendation on the records of processing activities (the 'Recommendation'). The full text of the Recommendation is available in French and Dutch on the website of the Privacy Commission.

The Recommendation aims to assist controllers and processors in putting in place the records of processing activities as required by article 30 of the GDPR (the 'Records'). More specifically, the Recommendation addresses (among other things) the following questions:

  • Who is obliged to keep the Records?

  • Why do companies have to keep the Records?

  • What kind of information do the Records have to contain? and

  • How should the Records be drawn up?

  • How should the Records be kept up to date and how long should they be kept?

  1. Who is obliged to keep the Records? Are there any exceptions?

    1. Controllers, processors and their representatives

Pursuant to article 30 GDPR each controller, processor (and where applicable, their representative) have to maintain a record of processing activities under its responsibility that contains the information described in this article.

Although the GDPR seems to impose this obligation on both the controller, respectively the processor and its representative, the Privacy Commission believes that there is no need for the controller, respectively the processor and its representative to each maintain such Records. However, in case the controller, respectively the processor and its representative put in place a single set of records, they must ensure that these Records can be made available quickly to the Privacy Commission for consultation.

    1. Exceptions for SME

Article 30, §5 GDPR contains an exemption from the record keeping obligations for organisations which employ fewer than 250 persons. Article 30 §5 GDPR further specifies four cases in which the foregoing exemption does not apply:

  • the processing which is carried out is likely to result in a risk to the rights and freedoms of data subjects. To assess whether the processing is likely to result in a risk, the Privacy Commission refers to its detailed analysis in the draft recommendation on DPIA (only available in French and Dutch – see also our previous blog on this topic);

  • the data processing is not occasional. This should be understood as processing which is coincidental, unforeseen or not usual. (e.g. processing activities relating to customer management, human resources or supplier management);

  • the processing includes special categories of data;

  • the processing includes personal data relating to criminal convictions and offences.

    In concrete terms, this means that enterprises and organisations which fall within the scope of one of these four exemptions will be obliged to maintain Records, even if they employ fewer than 250 persons.

Notwithstanding the foregoing, the Privacy Commission recommends that all controllers and processors maintain Records, even if they are not obliged thereto under the GDPR. The Privacy Commission indicates however that for SME, it would suffice maintaining Records of those processing activities that are not occasional.

  1. Why do companies have to keep the Records?

    1. Record keeping as an accountability instrument

The Privacy Commission rightly points out that the Records should be considered as an important accountability instrument. Indeed, organisations that do not know their data will find it much more difficult to comply with the GDPR.

    1. Record keeping as an information source for DPAs

The Records also constitute a valuable information source for the Privacy Commission in the framework of its inspection powers.

  1. Leveraging you existing notifications?

The Privacy Commission does confirm that the Records are internal documents of an organisation, which are not required to be disclosed to public, contrary to the current notification requirements that exist in many EU Member States.

That being said, in some EU Member States, like Belgium, the notifications do contain rather detailed information regarding specific processing activities.

Assuming your notifications are up to date, the Privacy Commission therefore suggests that organisations leverage their existing notifications to put together their Records.

The Privacy Commission also reminds that it has drafted guidelines to assist controllers complete the notification of their processing activities (the 'Notification Guidelines'). Although these Notification Guidelines do not fully match with the GDPR record keeping requirements, they can be a useful tool. The relevant parts of the Notification Guidelines have therefore been attached to the Recommendation as annex 1.

In this context, the Privacy Commission indicates that it will keep its public register of notifications accessible on its website until 25 May 2019 to make it easier for organisations to re-use the relevant parts of their current notifications.

Finally, the Privacy Commission warns that organisations should not blindly rely on the fact that the notifications that have been filed with the Privacy Commission provide for a complete overview of all processing activities. Indeed, some processing activities were exempted from a notification but will still have to be included in the Records.

  1. What kind of information do the Records have to contain?

The Records must contain detailed information on all processing activities that are carried out on that date, regardless of how long these processing activities have been carried out by the controller or processor. The Recommendation contains the following clarifications to article 30 GDPR:

    1. Name and contact details of the controller and the data protection officer ('DPO')

The Privacy Commission stresses that the mention of the name and contact details of the DPO in the Records does not exempt the controller from its obligation to notify these contact details to the Privacy Commission.

    1. Purpose of the processing

Article 30, §1 GDPR requires controllers to maintain a Record for each processing activity. According to the Privacy Commission, this should be read in conjunction with the requirement to identify the purpose of the processing. Each processing activity with one and the same purpose only triggers the need for one Record. In other words, the fact that an organisation collects, registers, consults etc. personal data for a given purpose, does not require it to maintain a separate Record for every type of processing activities.

The Privacy Commission also recommends completing the general description of the purpose of the processing with a more detailed description, as it is the case today with the notifications that have to be filed.

With regard to processors, the Privacy Commission indicates that the records should as a matter of fact also refer to the purpose, despite the fact that this is not expressly required under article 30, §2 GDPR.

    1. Description of the categories of (i) the data subjects and (ii) the personal data for each identified purpose

When listing the categories of personal data, the Privacy Commission recommends identifying which constitute special categories of personal. Where applicable, it is also recommended to indicate which categories relate to minors, as the processing of their data may trigger specific obligations under the GDPR.

    1. Categories of recipients to whom the personal data have been or will be disclosed

The Records must identify which categories of recipients, both internally and externally, may have access to the data. Although neither the GDPR nor the Privacy Commission require you to identify each recipient individually, organisations may consider doing so anyway as part of their data mapping exercises and to increase their accountability.

    1. Data retention period

It is helpful to note that the Privacy Commission is of the opinion that the retention period should not necessarily be understood as a qualitative determination (e.g. x months or Y years). It may also relate to certain parameters such as "the time necessary to realize the concrete purpose that the controller wishes to obtain" or a reference to the statute of limitations.

    1. Additional information

Somewhat stating the obvious, the Privacy Commission confirms that nothing prohibits organisations from including additional non-mandatory information in their Records. Adding a reference to the legal basis for processing, whether a DPIA is required or not or even linking it to the obligation to keep records of all data breaches, may indeed help organisations to increase the added value of their Records.

The only caveat here is the fact that all additional information will also need to be disclosed to the DPA if the latter asks to be provided with a copy of the Records. As a result, organisations should make an assessment of what type of additional information they want to include in the Records.

  1. How should the Records be drawn up?

The Privacy Commission recommends that the Records are drawn up in cooperation with all relevant operational departments and the DPO. They should be drafted in clear and accessible language.

The Privacy Commission specifies that organisations are not obliged to draft the Records in the official Belgian languages (Dutch, French and German), but in case the Records are not drafted in these languages, the Privacy Commission could require the organisation to provide a translation at the expense of the latter. In the past however, the Privacy Commission has taken a rather pragmatic approach with regard to documents drafted in English.

The GDPR does not include a "standard model" of the Records and in this respect the Privacy Commission encourages professional bodies to consider drafting a flexible template taking into account the needs of the individual entities. In the future, the Privacy Commission might publish a template record that may be used as a reference point, much like the French DPA has already done (which can be consulted here).

The Privacy Commission explains that in the event one entity would fulfil the role of controller and processor at the same time, the Records may provide for two separate parts, each corresponding with the respective role fulfilled by such entity.

  1. Updating and retention of Records

It goes without saying that the obligation to keep Records should be understood as a dynamic obligation: the controller and the processor will have to re-assess the accuracy of the Records on a regular basis in view of updating these where appropriate.

The GDPR does not specify the retention period during which the Records should be kept after the processing has been terminated. According to the Privacy Commission it may be useful to keep this information, bearing in mind that the Privacy Commission might still request access to the Records after the termination of the processing activity in the context of an inspection. In this respect the Privacy Commission recommends keeping the records for a period of 5 years after termination of the processing activity.

  1. Conclusion

The Privacy Commission's Recommendation provides some helpful clarification as to how some of the practical implications of the records keeping obligation must be interpreted.

Maintaining accurate and up-to-date Records are a crucial element for organisation willing to demonstrate compliance.

Putting in place a clever process for putting together and maintaining these Records may also help to reduce the administrative burden. Integrating the record keeping requirements in your data mapping inventory or in your (D)PIA process may indeed make things significantly easier.