How to set up a GDPR processing register

When you process personal data, you need to be able to prove you comply with the privacy regulation GDPR (AVG in Dutch). Among other things, you need to have a processing register, in which you record which personal data you use and for which purpose. It is not as hard as you may think to set up your own processing register. Read this article to find out what a processing register is and how to make one yourself.

The GDPR forces you to be aware of how your business processes and protects personal data. There are several GDPR requirements for working with personal details. You need to have a privacy statement, for example, and you need to secure the data you gather. Another requirement is that you set up, and keep up-to-date, a processing register. This register will help you meet your duty to account, that is, prove that you are compliant with GDPR regulations.   

What is a processing register?

In a processing register, you record general information on the type of personal data you process, and to what end. Personal data are data that can be traced back to an individual, such as a name, date of birth or payment details. For example, you record in your processing register that you process 'customer data', like 'names and addresses'. And you record that you need these details to send packages. You do not enter the specific personal data in your processing register. In other words, your processing register does not contain any personal data of your customers.


You do not have to publish the processing register. You only need to show it to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) if they ask for it. If you do not have a processing register, or if it fails to meet the requirements, AP can impose a fine (in Dutch). Depending on the offence, this fine can amount to a hefty sum. 

How to make your processing register

There is no fixed format for making your processing register. You can opt for an Excel spreadsheet, or for one of the tools available online. Your sector organisation may also be able to help you setting up your processing register. 

Start by listing all the business processes that involve the processing of personal data. These are also called processing activities. For example:

  • online sales
  • sending newsletters
  • payroll administration

Then fill in the required part of the processing register per process.

Example of a processing register

Responsible for processing:
Alex Computershop
Alex van de Kamer
alex@computershop.nl - 06-12345678

 Processing activityPurposeInvolvedType of dataRecipientsLegal basis
Retention period
Security measures
Sales via online shopOrder deliveries, meeting contract obligationsCustomersName, address, email address, telephone number, payment details
Postal services,  hosting provider,
Payment Service Provider
Contract obligations
Fiscal record retention duty, 7 yearsSecurity
software,
SSL
Sending newslettersInform about promotionsCustomersEmail addressNewsletter 
system
ConsentUntil customer unsubscribesVia secured mail server
Wage payment employeePay wages, administration duty
EmployeesAddress data, bank data, citizen service number BSN, ID copy, employment contract detailsPayroll services providerContract obligations
Fiscal record retention duty, 7 yearsVia secured payment 
system
PurchasingBuying new materials, maintaining contactSuppliersTelephone number and email addressnaContract obligationsFiscal record retention duty, 7 yearsMultifactor Authentication

This is solely an (incomplete) example, and no rights can be derived from it. 

Parts of the GDPR processing register

Your processing register must contain several parts. Some parts are only required if they apply to your situation. For example, if you do not forward personal data to another country or international organisation, you do not have to list this in your processing register. 

Required

The processing register must contain the following parts:

Responsible for processing

The entity or person responsible for processing the data determines which personal data your business collects, and for which purpose. It may be you as an entrepreneur, or your legal entity, your bv for example.

Involved

You describe the group of people whose personal data you process, so 'customers', or 'employees', for example.

Type of personal data

Record which personal data you process. For example: name, address, phone number or IP addresses.

Purpose of processing

You may only use personal data if you need it to carry out a pre-defined purpose. That means: you need to know the purpose before you start processing the personal data. For instance, you need a customer's address details to send a package. You record the purpose of processing in the processing register.

Recipients

Record in the processing register who receives the personal data. Do you send out packages using a parcel service? In that case, the parcel delivery company is a recipient of the personal data you have collected.

Note: you use a general description. You do not put the personal data in the processing register.

Required in specific situations

You only have to record the following elements in your processing register if they are relevant to your situation.

Security measures

You record how you secure personal data, both organisationally and technically, in your processing register. An example of such a security measure is setting up multifactor authentication (in Dutch) for files or your laptop.

Retention period

You are legally required to retain some personal data as part of your business records. For example, you have to retain your financial administration for 7 years, in case the Tax Administration requests to see it. List these retention periods in your processing register. If you process data without a legal retention period, make sure you do not hang on to them any longer than necessary. In that case, record in your processing register that you will delete the data as soon as you no longer have a use for it.

Forwarding to a third country or international organisation

It is possible that the data you process is stored on a server abroad. For example, if you use software for sending newsletters, or making and receiving payments. If you use software from parties that store data in a country different from the one your business is located in, mention it in your processing register. 

Not a requirement for the register, but good to have

If you process personal data, you must have a legal basis, or ground, to do so. You cannot make up these grounds yourself, they are listed in the GDPR. One example is 'contract obligations'. This is the legal basis you have when a customer orders a product from you, and you need their details to be able to deliver. You are not allowed to process personal data if you have no valid legal basis. 

You need to be able to prove to the DPA that your processing activities have a legal basis. It is a good idea to record this legal basis in your processing register for every type of processing you do. To be clear: it is not a requirement for the processing register to record this here; but recording this in your processing register means you comply with this GDPR requirement.

When do you set up and maintain your processing register?

You set up your processing register as soon as you start processing personal data. If you start processing different types of personal data, add these to the register straightaway. For example, if you start sending out email newsletters. Keep your processing register up-to-date, so you remain compliant with the privacy legislation.


Lees dit artikel in het Nederlands

InfoPage