Data Protection Report - Norton Rose Fulbright

The German Data Protection Authorities (DPAs, acting as the German Data Privacy Conference, Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder) recently published templates for the records of processing activities for controllers (Art. 30 para. 1 GDPR) and processors (Art. 30 para. 2 GDPR) together with a corresponding guidance document. This guidance was expected to be released earlier as the EU General Data Protection Regulation (GDPR) will take effect in less than a hundred days and organisations must meet its requirements from 25 May 2018. However, the guidance does not contain significant new information and mainly confirms previous understanding.

In detail:

  • The guidance describes the register as being the core element for GDPR compliance, i.e., core for a comprehensive data privacy and information security management system. It is described as the most important document to demonstrate data privacy compliance with regard to the principle of accountability.
  • Unsurprisingly, the guidance expects a register to be submitted to a German DPA upon request in German language. Although, the register may be kept in different languages as long as the organisation is able to swiftly present a German translation upon request.
  • What is a little more unexpected is the DPAs’ recommendation that organisations list not only the recipients of data transfers outside the organisation but also the details of the internal groups or persons having access to the processing’s data. This may require a greater level of detail than some organisations have included in their registers to date.
  • The guidance also elaborates on the threshold of 250 employees above which the GDPR requires a register to be maintained. In practice, the DPAs say this threshold is more or less irrelevant as even with one employee a company would be processing sensitive data – in which case a register is required.
  • Finally, the guidance suggests linking further data privacy documents (e.g. general privacy policies, data security information or documents on PIA procedures) from the register as reference documents.

Our take

This guidance has been released less than 100 days before the GDPR enters into force. This is very late, given that the registers are a logical first step of a GDPR preparation project. It would seem unreasonable for DPAs to expect that organisations which have finished their registers to go back and rework them to be in line with this guidance (at least in the short term).

However, in terms of content, the guidance generally confirms current views. It is interesting to see the emphasis put on the importance of data mapping to comply with the accountability requirements of the GDPR.