EU General Data Protection Regulation: New legal requirements for the records of data processing activities
As of May 2018, the EU General Data Protection Regulation (GDPR) applies. Until then data processing operations need to be adapted to the new requirements. We provide you with important information on the new records of data processing activities.
The GDPR stipulates broad requirements regarding the documentation and proof of compliance. In future, controllers have to prove that their data processing operations meet the requirements of the GDPR (accountability).
The records of processing activities, subject to Article 30 GDPR, are one important part of the privacy documentation. They are similar to the procedure index already known from German Privacy Law (BDSG).
There are quite a few changes under Article 30 GDPR.
To start with, the GDPR provides that only enterprises employing 250 employees or more have to keep a record of processing activities. However, this obligation also applies to smaller enterprises if
Therefore, also a lot of small and medium size enterprises will be obliged to keep the records.
Another novelty is that the GDPR does not distinguish between the internal and the external records anymore. There is now only one kind of record: the internal record. Upon request, it has to be made available to the supervising authorities.
Finally, if the requirements are not met, an administrative fine of up to EUR 10 Million or up to 2% of the annual global turnover may be imposed, Article 83 (4) GDPR.
With respect to the content, the record has to provide general information:
Name and contact details of the
Additionally, cross-procedural technical and organizational information has to be provided:
Finally, specified information on the separate data processing operations has to be provided:
► recipient,
► third country or organization,
► sufficient guarantees for the protection of the data and the rights of the data subjects in the third country or the international organization,
In case of commissioned data processing, in addition to the general information on the controllers, information on the commissioned data processor has to be provided.
The records of processing activities shall be in writing or in electronic form.
www.deloitte-tax-news.de | Diese Mandanteninformation enthält ausschließlich allgemeine Informationen, die nicht geeignet sind, den besonderen Umständen eines Einzelfalles gerecht zu werden. Sie hat nicht den Sinn, Grundlage für wirtschaftliche oder sonstige Entscheidungen jedweder Art zu sein. Sie stellt keine Beratung, Auskunft oder ein rechtsverbindliches Angebot dar und ist auch nicht geeignet, eine persönliche Beratung zu ersetzen. Sollte jemand Entscheidungen jedweder Art auf Inhalte dieser Mandanteninformation oder Teile davon stützen, handelt dieser ausschließlich auf eigenes Risiko. Deloitte GmbH übernimmt keinerlei Garantie oder Gewährleistung noch haftet sie in irgendeiner anderen Weise für den Inhalt dieser Mandanteninformation. Aus diesem Grunde empfehlen wir stets, eine persönliche Beratung einzuholen.
This client information exclusively contains general information not suitable for addressing the particular circumstances of any individual case. Its purpose is not to be used as a basis for commercial decisions or decisions of any other kind. This client information does neither constitute any advice nor any legally binding information or offer and shall not be deemed suitable for substituting personal advice under any circumstances. Should you base decisions of any kind on the contents of this client information or extracts therefrom, you act solely at your own risk. Deloitte GmbH will not assume any guarantee nor warranty and will not be liable in any other form for the content of this client information. Therefore, we always recommend to obtain personal advice. |