Danish Data Protection Supervisor’s decision increases granularity requirements for records of data processing activities
The General Data Protection Regulation (“GDPR“) has imposed an obligation on a large number of controllers to keep records of their processing activities. This document reflects the Company’s data processing operations and is one of the key documents for the implementation of the principle of accountability.
Following the GDPR, this document should specify:
- the identity of the controller and the name and contact details of the controller’s representative and the data protection officer (if appointed);
- the purposes for which the controller processes personal data;
- the categories of persons whose personal data are processed and the categories of personal data processed;
- the recipients to whom the personal data have been or will be disclosed;
- the foreseeable time limits for erasure;
- where applicable, recipients in countries outside the European Economic Area and the safeguards applicable to such transfers of personal data;
- a description of the technical and organisational security measures, where feasible.
The text of the GDPR itself does not impose any further specific requirements on the content of this document. In this context, almost immediately after the entry into force of the GDPR, the State Data Protection Inspectorate (hereinafter ‘the DPO’) issued a recommendation on the keeping of records of processing activities and a model form for records of processing activities for the controller (as well as for the processor, although these are not usually problematic).
Although the model form for data processing activity records prepared by the DPAI is not very practical, it is the one used by most companies and bodies. However, in August this year, the Danish Data Protection Supervisor issued updated guidance on keeping records of data processing activities, answering several important questions that were not answered by the DPAI and are not contained in the text of the GDPR. It should be noted that, according to the Danish DPA’s guidelines, the model form for recording data processing activities prepared by the DPAI will not be suitable for use in some cases.
The Danish supervisory authority has clarified:
- The applicable technical and organisational security measures to ensure the protection of personal data do not have to be contained in the records of processing activities. It is sufficient to refer to a description of the technical and organisational security measures (or a document of equivalent content by another name) detailing the technical and organisational security measures applied;
- the records of processing activities should reflect which categories of persons (e.g. customers, patients, service providers, employees, etc.) personal data are processed, as well as which categories of personal data about these persons are processed (e.g. identification data, contact data, qualification data, etc.);
- a high level of detail is required when describing categories of recipients. As regards the specific purpose of the processing, the records of the processing activities must indicate which personal data (or categories of personal data) have been or will be transferred to which recipients.
It is this last part that is important in deciding whether the guidance format for data processing activity records developed by the DPAI will be appropriate for you. The model form drawn up by the DPAI will only be appropriate if all the personal data (or categories of personal data) that are processed for a specific purpose have been or will be transferred to the specified recipients. However, if part of the personal data processed for the specific purpose may be transferred to recipients A, B, and C and the rest to recipients A, D, and E, the model form drawn up by the DPAI will no longer be appropriate.
It should be noted that the position of the Danish Data Protection Supervisor is not distinct from that of the DPAI. The DPAI states in its Recommendation on records of processing activities that the records of processing activities must contain ‘a detailed description of the processing of personal data carried out’. Thus, companies should assess, when keeping records of their data processing activities, whether the model form developed by the DPAI is appropriate for their processing of personal data.
It should also be mentioned why the decision of the Danish DPA is relevant. The GDPR applies throughout the European Union and the countries of the European Economic Area. Thus, as of today, 31 national data protection supervisory authorities in 31 countries provide various recommendations on the implementation of the GDPR. These interpretations should be considered valid in all EU countries, as they are complementary to the existing national interpretations, to ensure uniform application of the GDPR. This is also the position of the State Data Protection Inspectorate.
Summarising the updated guidelines of the Danish Data Protection Supervisor on the keeping of records of processing activities, it can be concluded that records of processing activities should be kept in such a way that they reflect in a highly detailed manner the activities of the company or body concerning the personal data.
In addition to other mandatory content elements, this document should make clear:
- which persons’ personal data are collected;
- what personal data (categories of data) about these persons are collected;
- which personal data (categories of data) and with which recipients (or categories of recipients) may be shared for each processing purpose;
- how long the personal data (categories of data) will be kept.