Processing records for personal data
Creation of a processing file
There is no formal requirement on how the processing file should be presented, or what method should be used in making it.
The organisation decides the arrangements of the register itself; whether this is done by having a summary in the form of a written document, an Excel document, or in other ways.
It should be noted that compliance with the requirements regarding the content of the processing records is mandatory and therefore it is necessary to ensure that they are fulfilled regardless of the form used.
Data Protection has prepared guidelines on the one hand and on the other hand, which can be used to obtain the necessary overview.
The processing file of the controller shall contain the following information:
Name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer.
The purpose of the processing.
A description of the categories of registered individuals and categories of personal data.
The categories of recipients who have received or will receive the personal data, including recipients in third countries or international organisations.
If applicable, the transfer of personal data to a third country or an international organisation. This would require the third country or international organisation to be identified and the safeguards to be applied.
If possible, the proposed time limits for deletion of different categories of data.
If possible, a general description of the technical and organisational security measures that have been taken.
The processor's processing file shall contain the following information:
Name and contact details of the processor, one or more, and any controller that the processor is acting under the authority of before and, where applicable, the representative of the controller or the processor and the data protection officer.
Categories of processing carried out on behalf of each controller
Where appropriate, the transfer of personal data to a third country or international organisation, including the third country or international organisation concerned, and, in the case of the transfer referred to in the second subparagraph of Article 49(1)(GDPR), data regarding appropriate security measures.
If possible, a general description of the technical and organisational security measures that have been taken.
The form for the controllers contains more columns than is required by law.
This is because better oversight can be a good tool in the work to ensure compliance with the obligations and rights of the registered person.
It is then easier to answer questions from individuals who want to be informed about what is recorded about them, where the information is from, and on what source the information is processed.
The overview is also useful when meeting the ongoing information obligation, for example, with regard to data protection policy.
Note that each controller may need to adapt the list to their own situation, as the controllers activities may vary greatly in size and scope.
It is good to note that the main purpose of the file is to get an overview of the processing of personal data that is carried out in the operation, but not necessarily every single processing operation that is carried out.
