How to set up a GDPR processing register
- KVK Editors
- The basis
- 23 September 2022
- Edited 17 January 2024
- 5 min
- Rules and laws
When you process personal data, you need to be able to prove you comply with the privacy regulation GDPR (AVG in Dutch). Among other things, you need to have a processing register, in which you record which personal data you use and for which purpose. It is not as hard as you may think to set up your own processing register. Read this article to find out what a processing register is and how to make one yourself.
The following video (in Dutch) explains how to set up a GDPR processing register.
AVG: verwerkingsregister
The GDPR forces you to be aware of how your business processes and protects personal data. There are several GDPR requirements for working with personal details. You need to have a privacy statement, for example, and you need to secure the data you gather. Another requirement is that you set up, and keep up-to-date, a processing register. This register will help you meet your duty to account, that is, prove that you are compliant with GDPR regulations.
What is a processing register?
In a processing register, you record general information on the type of personal data you process, and to what end. Personal data are data that can be traced back to an individual, such as a name, date of birth or payment details. For example, you record in your processing register that you process 'customer data', like 'names and addresses'. And you record that you need these details to send packages. You do not enter the specific personal data in your processing register. In other words, your processing register does not contain any personal data of your customers.
You do not have to publish the processing register. You only need to show it to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) if they ask for it. If you do not have a processing register, or if it fails to meet the requirements, AP can impose a fine (in Dutch). Depending on the offence, this fine can amount to a hefty sum.
How to make your processing register
There is no fixed format for making your processing register. You can opt for an Excel spreadsheet, or for one of the tools available online. Your sector organisation may also be able to help you setting up your processing register.
Start by listing all the business processes that involve the processing of personal data. These are also called processing activities. For example:
- online sales
- sending newsletters
- payroll administration
Then fill in the required part of the processing register per process.
Example of a processing register
Responsible for processing:
Alex Computershop
Alex van de Kamer
alex@computershop.nl - 06-12345678
Processed data from customers
| Online sales | Newsletter | |
|---|---|---|
| Purpose | Order deliveries, meeting contract obligations | Inform about promotions |
| Involved | Customers | Customers |
| Type of data | Name, address, email address, phone number, payment details | Email address |
| Recipients | Postal services, hosting provider, Payment Service Provider | Newsletter system |
| Legal basis | Contract obligation | Consent |
| Retention period | Fiscal record retention duty, 7 years | Until customer unsubscribes |
| Safety measures | Security software, SSL | Via secured mail server |
Processed data from staff and suppliers
| Employee wage payment | Purchasing | |
|---|---|---|
| Purpose | Pay wages, administration duty | Purchasing materials, maintaining contact |
| Involved | Employees | Suppliers |
| Type of data | Address and bank details, BSN, ID copy, employment contract details |
Phone number, |
| Recipients | Payroll services provider | n.a. |
| Legal basis | Contract obligation | Contract obligation |
| Retention period | Fiscal record retention duty, 7 years | Fiscal record retention duty, 7 years |
| Safety measures | Via secured payment system | Multifactor Authentication |
Please note: These examples are incomplete, and no rights can be derived from them.
Parts of the GDPR processing register
Your processing register must contain several parts. Some parts are only required if they apply to your situation. For example, if you do not forward personal data to another country or international organisation, you do not have to list this in your processing register.
Required
The processing register must contain the following parts:
Responsible for processing
The entity or person responsible for processing the data determines which personal data your business collects, and for which purpose. It may be you as an entrepreneur, or your legal entity, your bv for example.
Involved
You describe the group of people whose personal data you process, so 'customers', or 'employees', for example.
Type of personal data
Record which personal data you process. For example: name, address, phone number or IP addresses.
Purpose of processing
You may only use personal data if you need it to carry out a pre-defined purpose. That means: you need to know the purpose before you start processing the personal data. For instance, you need a customer's address details to send a package. You record the purpose of processing in the processing register.
Recipients
Record in the processing register who receives the personal data. Do you send out packages using a parcel service? In that case, the parcel delivery company is a recipient of the personal data you have collected.
Note: you use a general description. You do not put the personal data in the processing register.
Required in specific situations
You only have to record the following elements in your processing register if they are relevant to your situation.
Security measures
You record how you secure personal data, both organisationally and technically, in your processing register. An example of such a security measure is setting up multifactor authentication for files or your laptop.
Retention period
You are legally required to retain some personal data as part of your . For example, you have to retain your financial administration for 7 years, in case the Tax Administration requests to see it. List these retention periods in your processing register. If you process data without a legal retention period, make sure you do not hang on to them any longer than necessary. In that case, record in your processing register that you will delete the data as soon as you no longer have a use for it.
Forwarding to a third country or international organisation
It is possible that the data you process is stored on a server abroad. For example, if you use software for sending newsletters, or making and receiving payments. If you use software from parties that store data in a country different from the one your business is located in, mention it in your processing register.
Not a requirement for the register, but good to have
If you process personal data, you must have a legal basis, or ground, to do so. You cannot make up these grounds yourself, they are listed in the GDPR. One example is 'contract obligations'. This is the legal basis you have when a customer orders a product from you, and you need their details to be able to deliver. You are not allowed to process personal data if you have no valid legal basis.
You need to be able to prove to the DPA that your processing activities have a legal basis. It is a good idea to record this legal basis in your processing register for every type of processing you do. To be clear: it is not a requirement for the processing register to record this here; but recording this in your processing register means you comply with this GDPR requirement.
When do you set up and maintain your processing register?
You set up your processing register as soon as you start processing personal data. If you start processing different types of personal data, add these to the register straightaway. For example, if you start sending out email newsletters. Keep your processing register up-to-date, so you remain compliant with the privacy legislation.
