Belgian DPA releases Recommendation on Internal Records ex Art. 30 GDPR

Background information/Scenario
The Belgian Data Protection Authority issued Recommendation No. 06/2017 on 14 June 2017 (available in French and Dutch) with the aim of providing guidelines to data controllers and data processors in relation to their obligation to establish and maintain internal records of data processing activities (“Internal Record”) by May 25, 2018, pursuant to Article 30 of the EU General Data Protection Regulation (“GDPR”).

Main issue
The Belgian DPA opens its recommendation underlining that the requirement ex Art.30 GDPR interests both data controllers, and data processors. The document addresses the following issues:

– Who should keep an Internal Record? Are there exceptions?

The recipients of the obligation are data controllers (as defined by Artcile 4(7) GDPR) pursuant to Article 30(1) GDPR, together with their eventual representatives, and data processors (as defined by Article 4(8) GDPR) pursuant to Article 30(2) GDPR. The maintenance of Internal Records of processing activities is not mandatory for companies or organizations with fewer than 250 employees pursuant to Article 30(5) GDPR, unless one of the following conditions is applicable: (1) their data processing activities are likely to entail a risk to the rights and freedoms of the data subjects; (2) the processing is not occasional (e.g., non-occasional processing activities are data processing related to customer management or human resources management); (3) the processing relates to special categories of personal data (ex Article 9 GDPR); (4) the processing regards personal data related to criminal convictions and offences or related security measures (ex Article 10 GDPR). Notwithstanding these exceptions, the Belgian DPA advices all data controllers and data processors to establish internal records, regardless their size, whenever they engage in regular processing activities.

– Which is the reason of this obligation?

In the view of the Belgian DPA, the Internal Record is one of the tools to demonstrate accountability, that being the principle of responsibility of the data controller (as well as, indirectly, of the data processor) which underlies all the obligations placed on him by the GDPR. In line with Article 30(4) GDPR, data controller and data processors may be asked to make the Internal Record available to the relevant Data Protection Authority on request. Therefore, the information contained in this record is a key source of information for the Data Protection Authority in conducting its controls.

– What shall an Internal Record contain?

The Internal Record shall contain the required information with regard to all data processing activities carried out at the date of May 25, 2018, whether these activities were previously or recently initiated.
Each data controller and, where applicable, the data controller’s representative shall maintain the Internal Record containing the following information: (a) who handles personal data: name and contact details of the data controller and, where applicable, of the joint data controller, the data controller’s representative and of the data protection officer; (b) why: the purposes of the processing; (c) what: a description of the categories of data subjects and of the categories of personal data controlled, for each of the identified purposes; (d) where: the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; (e) information on transfers of personal data to a third country or an international organisation if applicable and the documentation of suitable safeguards; (f) until when: the envisaged time limits for erasure of the different categories of personal data; (g) how: where possible, a general description of the technical and organisational security measures pursuant to Article 32(1) GDPR.

Each data processor and, where applicable, the data processor’s representative shall maintain the Internal Record containing the following information: (a) who processes personal data: the name and contact details of the data processor or data processors and of each data controller on behalf of which the processor is acting, and, where applicable, of the data controller’s or the data processor’s representative, and of the data protection officer; (b) what: the categories of processing activities carried out on behalf of each controller; (c) where applicable, information on transfers of personal data to a third country or an international organisation and the documentation of suitable safeguards; (d) how: where possible, a general description of the technical and organisational security measures referred to in Article 32(1) GDPR.
The Belgian DPA clarifies that the Internal Records can contain additional information that may be useful for the data controllers and processors to identify a series of measures to be taken to fulfil all the obligations deriving from the GDPR.

– How to establish an Internal Record?

The Internal Records shall be available in writing, including in electronic form. They must be clear and easily understandable for the Data Protection Authority. The format can be flexible in order to accommodate the needs of each type of processing. The Internal Record must be constantly updated. The retention period for the information once the processing has ceased is not specified but the Belgian DPA advices data controllers and processors to retain this information for accountability purposes. The language is not mandated. Multinational companies, for example, may establish their Internal Record in English. A translation into one of the national languages at the expense of the data controller or processor may be requested by the Data Protection Authority.

– To whom an Internal Record is addressed?

The Internal Record is first and foremost a tool designed to help data controllers and processors to comply with the obligations deriving from the GDPR. Secondly, it is addressed to the Data Protection Authority to which it must be made available on first request. It is not addressed to the public or to the data subjects.
– Which sanction(s) derives from incompliance?
Failure to comply with the obligation under Article 30 GDPR may result in:
(1) an administrative fine of up to 10,000,000 EUR;
(2) or, if a company is concerned, 2% of the company’s global annual turnover, whichever is higher.

Practical actions
Companies must be aware that mapping data activities and maintaining records thereof is essential both for data controllers and for data processors. Only having a clear and updated overview of this data processing the obligations deriving from the GDPR can be fulfilled. This consideration applies also to small and medium-sized enterprises under the above listed circumstances.

As recommended by the Belgian DPA, all stakeholders responsible at the operational level for data processing should be involved in the preparation of these records. Therefore, not only the data controller or the data processor, but also, where applicable, the data controller’s or the data processor’s representative and, most importantly, the data protection officer.

Companies are encouraged to insert additional information in the records, beyond the mandated requirements. Companies have to ensure that their Records are kept up to date, clear, understandable, in writing and electronically available, and that the Data Protection Authority can consult them on first request.