For your (privacy) records: who, what and how?

On 14 June 2017, the Belgian Privacy Commission published a recommendation (06/2017) on the records of processing activities by data controllers and processors, when required to do so under Article 30 of the GDPR (the “Recommendation”).

As a reminder, the obligation to maintain – and update – a record containing the processing activities (such as the names and contact details, a general description of the technical and organizational security measures, etc.), including in electronic form, applies to any enterprise or organization:

(1)   employing more than 250 persons;

(2)   carrying out processing activities “likely to result in a risk to the rights and freedoms of data subjects” (e.g. where processing involves a large amount of personal data and affects a large number of data subjects);

(3)   processing “sensitive” information, as set out in the regulation (e.g. genetic data or personal data relating to criminal convictions and offences); and/or

(4)   processing personal data repeatedly, not just “occasionally” (i.e. “occurring or appearing at irregular or infrequent intervals”). In other words, customer, supplier or staff management is not occasional. As a result thereof, the vast majority of SMEs are also subject to this obligation.

The Commission provides concrete guidance on how to establish such a record (based on its existing explanatory note for filing a notification, attached to the Recommendation), while pointing out differences between the records of a data controller and a data processor.

Such a record must made available to the supervisory authority on request, but neither to the data subjects themselves, nor to the public.

Finally, it is worth noting that the record may be established in a foreign language, such as English (although the translation into French, Dutch or German can be ordered by the supervisory authority, as the case may be).

The Recommendation and the GDPR can be found at: