The GDPR forces you to be aware of how your business processes and protects personal data. There are several GDPR requirements for working with personal details. You need to have a privacy statement, for example, and you need to secure the data you gather. Another requirement is that you set up, and keep up-to-date, a processing register. This register will help you meet your duty to account, that is, prove that you are compliant with GDPR regulations.
What is a processing register?
In a processing register, you record general information on the type of personal data you process, and to what end. Personal data are data that can be traced back to an individual, such as a name, date of birth or payment details. For example, you record in your processing register that you process 'customer data', like 'names and addresses'. And you record that you need these details to send packages. You do not enter the specific personal data in your processing register. In other words, your processing register does not contain any personal data of your customers.
You do not have to publish the processing register. You only need to show it to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) if they ask for it. If you do not have a processing register, or if it fails to meet the requirements, AP can impose a fine (in Dutch). Depending on the offence, this fine can amount to a hefty sum.
How to make your processing register
There is no fixed format for making your processing register. You can opt for an Excel spreadsheet, or for one of the tools available online. Your sector organisation may also be able to help you setting up your processing register.
Start by listing all the business processes that involve the processing of personal data. These are also called processing activities. For example:
- online sales
- sending newsletters
- payroll administration
Then fill in the required part of the processing register per process.
Example of a processing register
Responsible for processing:
Alex van de Kamer
firstname.lastname@example.org - 06-12345678
|Processing activity||Purpose||Involved||Type of data||Recipients||Legal basis||Retention period||Security measures|
|Sales via online shop||Order deliveries, meeting contract obligations||Customers||Name, address, email address, telephone number, payment details||Postal services, hosting provider,|
Payment Service Provider
|Contract obligations||Fiscal record retention duty, 7 years||Security|
|Sending newsletters||Inform about promotions||Customers||Email address||Newsletter |
|Consent||Until customer unsubscribes||Via secured mail server|
|Wage payment employee||Pay wages, administration duty||Employees||Address data, bank data, citizen service number BSN, ID copy, employment contract details||Payroll services provider||Contract obligations||Fiscal record retention duty, 7 years||Via secured payment |
|Purchasing||Buying new materials, maintaining contact||Suppliers||Telephone number and email address||na||Contract obligations||Fiscal record retention duty, 7 years||Multifactor Authentication|
This is solely an (incomplete) example, and no rights can be derived from it.
Parts of the GDPR processing register
Your processing register must contain several parts. Some parts are only required if they apply to your situation. For example, if you do not forward personal data to another country or international organisation, you do not have to list this in your processing register.
The processing register must contain the following parts:
Responsible for processing
The entity or person responsible for processing the data determines which personal data your business collects, and for which purpose. It may be you as an entrepreneur, or your legal entity, your bv for example.
You describe the group of people whose personal data you process, so 'customers', or 'employees', for example.
Type of personal data
Record which personal data you process. For example: name, address, phone number or IP addresses.
Purpose of processing
You may only use personal data if you need it to carry out a pre-defined purpose. That means: you need to know the purpose before you start processing the personal data. For instance, you need a customer's address details to send a package. You record the purpose of processing in the processing register.
Record in the processing register who receives the personal data. Do you send out packages using a parcel service? In that case, the parcel delivery company is a recipient of the personal data you have collected.
Note: you use a general description. You do not put the personal data in the processing register.
Required in specific situations
You only have to record the following elements in your processing register if they are relevant to your situation.
You record how you secure personal data, both organisationally and technically, in your processing register. An example of such a security measure is setting up multifactor authentication (in Dutch) for files or your laptop.
You are legally required to retain some personal data as part of your business records. For example, you have to retain your financial administration for 7 years, in case the Tax Administration requests to see it. List these retention periods in your processing register. If you process data without a legal retention period, make sure you do not hang on to them any longer than necessary. In that case, record in your processing register that you will delete the data as soon as you no longer have a use for it.
Forwarding to a third country or international organisation
It is possible that the data you process is stored on a server abroad. For example, if you use software for sending newsletters, or making and receiving payments. If you use software from parties that store data in a country different from the one your business is located in, mention it in your processing register.
Not a requirement for the register, but good to have
If you process personal data, you must have a legal basis, or ground, to do so. You cannot make up these grounds yourself, they are listed in the GDPR. One example is 'contract obligations'. This is the legal basis you have when a customer orders a product from you, and you need their details to be able to deliver. You are not allowed to process personal data if you have no valid legal basis.
You need to be able to prove to the DPA that your processing activities have a legal basis. It is a good idea to record this legal basis in your processing register for every type of processing you do. To be clear: it is not a requirement for the processing register to record this here; but recording this in your processing register means you comply with this GDPR requirement.
When do you set up and maintain your processing register?
You set up your processing register as soon as you start processing personal data. If you start processing different types of personal data, add these to the register straightaway. For example, if you start sending out email newsletters. Keep your processing register up-to-date, so you remain compliant with the privacy legislation.