Guide to the Register of Data Processing Activities

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) basically regulates how personal data should be lawfully processed (including how it’s collected, used, protected or interacted with in general). It is intended to strengthen data protection for all people whose personal information fall within its scope of application, putting personal data control back into their hands.

The aforementioned can, however, be a technical challenge to implement in practical terms. This is especially true for your register of data processing activities. Users must be able to describe which data they collect, for which purposes, the parties involved and some other details for the entire company, including data of employees.

If you are looking for further background information on the GDPR please have a look at our extensive GDPR guide.

This guide is meant to guide you step by step through our Register of Data Processing Activities.

Please note: Even though the GDPR is a common reason to put more effort into your register of data processing activities, our tool is not exclusively made for application under the GDPR. It can also be used for all your data processing activities in general, even by companies who do not have any users/customers within the EU.

Keep reading or view the full tutorial.

Does my organization need to keep records of processing activities under the GDPR? 

The GDPR requires both controllers and processors to keep a record of processing activities. Such records need to be in writing, including in electronic form. The Register of Data Processing Activities was specifically designed for controllers and processors to meet this requirement.

The record (also called “register”) of processing activities needs to be made available to the supervisory authority if requested.

What does the concept of area mean?

Areas are perimeters within which data processing activities are homogeneous. Examples of areas are your website, mobile app, physical stores, employees, recruiting, manufacturing facility etc. For each, you can provide a description of how data is being processed, just like you are doing probably already with our privacy policy generator or the terms of service generator for any given site. In short, areas are replications of the ‘site’ entity that are connected to each other, that you can create at will.

How are members/roles defined?

At the account level you’re able to add members, who can then be associated with a particular role (such as “controller”, “processor etc.) or a specific area.

When associating, you can choose what role the member has within the following options:

• Controller: means any person or legal entity involved in determining the purpose and ways of processing personal data.
• Member of the controller’s organization: see list of examples below
• Processor: means any person or legal entity involved in processing personal data on behalf of the controller
• Subject (sometimes also called user): means an individual whose personal data is processed by a controller or processor.

For example, an internet company may collect user information via their website and store it using a 3rd party cloud service. In this scenario, the internet company is the data controller and the organization running the cloud service is the data processor.

You can think of it as basically an address book. All current owners are members too.

Please be aware: The defaults that you put in the area members section are then applied by default to each service.

The following members are available by default:

• Employees
• Users
• EU Users
• Marketing Department
• HR Department
• Finance Department
• Customer Care Department
• Sales Department
• R&D Department
• Development Department
• Product Department
• Legal Department
• PR Department
• Intelligence Department

How can I configure services with the new fields?

Your privacy policy needs to be adapted to your site’s or app’s data collection practices. You do that by adding a service.

Services generally fall into two categories:

• Services related to your own data collection activities (eg. contact forms)
• Services related to third-party data collection activities (eg. Google Analytics)

When figuring out which basic services to add to your policy, it may help to ask yourself the following questions:

• What user data do I collect myself and how do I collect it?
  (eg. newsletter forms, contact forms, comment systems)
• Which third-party services do I use on my site/app? Most likely these services also process user data in some way and therefore must be included in your policy.

In the following section, we will go through the new fields that we have released to facilitate your register of data processing activities (you can find these fields in the customization window that shows up when you add a service). This will be done step by step in order to assist you in choosing the right option for your personal situation.

Label and Description

Those 2 fields are simply for your convenience to be able to describe the given service. An example for a label could be “DE data center” and the corresponding description could be “Frankfurt data center”.

Region

This is a field that only applies to some services where you can specify if you are keeping data in the EU. A good example of this is “Amazon Web services” (often abbreviated as “AWS”).

Custom personal data

A field that only some services have, that allows you to specify the personal data type collected through that service.

Legal basis for processing data

Under the GDPR, data can only be processed if there’s at least one lawful basis for doing so.

The lawful bases are:

• The user has given consent for one or more specific purposes.
• The data processing is necessary for the performance of a contract in which the user is a participant or necessary in order to take steps (requested by the user) prior to entering the contract.
• The processing is necessary for fulfilling a legal obligation to which the data controller is subject.
• The processing is necessary for protecting the vital interests of the user or of another person.
• The processing is necessary for performing a task carried out in the interest of the public or as contained under the official authority given to the data controller.
• The processing is necessary for the legitimate interests of the data controller or third party, except where overridden by the interests, rights and freedoms of the user, in particular where the user is a child.

In our tool you can select from the following options:

• Consent: Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation. This refers to all tracking tools that are cookie-based, for which you collect consent via the cookie banner.
• Contract: All that you need to do in order to provide the service (hosting, etc). You can rely on this lawful basis if you need to process someone’s personal data:
  • to fulfil your contractual obligations to them; or
  • because they have asked you to do something before entering into a contract (for example providing a quote).
• Legal obligation: You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation. This refers to invoicing for example.
• Vital interest: You are likely to be able to rely on the so-called vital interests as your lawful basis if you need to process the personal data to protect someone’s life. This processing must be necessary. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not apply to your case.
• Public task: This is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the general public interest.
• Legitimate interest: Legitimate interests is certainly the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate for your case. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
• Special category data: Special category data is personal data which according to the GDPR is more sensitive, and therefore needs more protection. This includes for example information about an individual’s race, religion or health.
• Criminal offence data: To process personal data about criminal convictions or offences, you must have both a lawful basis under Article 6 and either legal authority or official authority for the processing under Article 10.

Legal basis for data transfer outside of the EU

This only applies when you are transferring data outside of the EU so please choose accordingly.

You can choose between the following options:

• No data transfer: self-explanatory.
• Adequacy decisions: A decision adopted by the European Commission on the basis of Article 45 of Regulation (EU)2016/679, which establishes that a non-EU country ensures an adequate level of protection of personal data by reason of its domestic law or the international commitments it has entered into.
• Binding corporate rules: Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA in compliance with the Article 47 of the GDPR. The procedure is designed to avoid you having to approach each individual data protection authority separately. Further information can be found under Article 47.
• Appropriate safeguards: In the absence of a adequacy decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Further info can be found under Article 46.
• Consent: Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation. This refers to all tracking tools that are cookie-based, for which you collect consent via the cookie banner.
• Standard data protection clauses adopted by the EU commission: The European Commission can decide that standard contractual clauses offer sufficient safeguards on data protection for the data to be transferred internationally. It has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA). Regulated by the GDPR and Regulation (EU) 2018/1725 (Data Protection Regulation applicable to the EU institutions, bodies, offices and agencies, “EUDPR”).
• Public interest: This is mostly relevant to public authorities, but it can apply to any organization that exercises official authority or carries out tasks in the general public interest.
• Establishment, exercise or defence of legal claims.
• Vital interest: You are likely to be able to rely on the so-called vital interests as your lawful basis if you need to process the personal data to protect someone’s life. This processing must be necessary. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not apply to your case.

Those related to the processing of personal data

Controller
Means any person or legal entity involved in determining the purpose and ways of processing the personal data.

Processors
Means any person or legal entity involved in processing personal data on behalf of the controller.

Members of the controller organization
A common example for this are the employees of the given company/organization.

Subjects
Can be for example either the users of the given website or app, visitors of a physical store or paying clients.

Available rights

Under normal circumstances, matters that have “consent” as the legal basis for processing, need to have all of the rights selected. Our solution offers you the following options:

• Information: Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
• Access: Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
• Rectification: The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing.
• Erasure: The GDPR introduces a right for individuals to have personal data erased (also called the “right to be forgotten”). Individuals can make a request for erasure verbally or in writing.
• Restrict processing: Individuals have the right to request the restriction or suppression of their personal data. This is however not an absolute right and only applies in certain circumstances. More information can be found here.
• Data portability: The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
• Object: Individuals have the right to object to:
  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.

Retention policy

This field refers to how long data is being stored. The default option is “keeping the data for the time necessary to fulfill the purpose” and should apply to most cases. Otherwise, you can choose from a period of 1 up to 5 years.

Security measures

Common examples here are the used encryption method or vulnerability assessments/penetration tests meaning that your technical systems should be tested periodically in order to evaluate the safety and resilience of your systems.

Another important measure is the so-called “backup and storage of backup media” which means that it is advisable to keep the backup media in a dedicated place accessible only to the personnel in charge. The safety of the place should be verified at least annually.

It is also recommended to install and maintain a firewall. It is advisable to review the current configurations, manage permissions for system users, check that the system is up to date and finally proceed with the installation on portable devices. Having a firewall in place is however obviously nothing new in relation to the GDPR and should be regarded as a minimum security measure already provided for by current standards.

From the tool you will be able to choose from the following options:

• Encryption: Encryption is a broadly used process whereby data gets turned into an encoded and unintelligible version, using encryption algorithms and an encryption key, and whereby a decryption key or code enables others to decode it again.
• Anonymization: Recital 26 of the GDPR defines anonymized data as “data rendered anonymous in such a way that the data subject is not or no longer identifiable.”
• Pseudonymization: Pseudonymization is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. It may therefore reduce the risks associated with data processing, while also maintaining the data’s utility.
• Auditing: Regular data audits alongside reviews and data management exercises are ongoing requirements to maintain compliance under the GDPR.
• Access limitation: This refers to limited access to any personally identifiable data that is collected or stored from any individual in the European Union.

What does the button “Adding alternates” mean?

To thoroughly describe the processing as required under the GDPR, you must be very granular in describing your data collection practices. A common scenario is that of a website having multiple contact forms, where each form is aimed at different individuals or for which the data is shared with different parties. Another example is having two different newsletters for different user-groups or customers.

Our Register of Data Processing Activities tool therefore allows you to add different versions of the same service.

Practical Examples

Let’s now go through a range of specific examples to make the above information more practical including our “alternate options”: