Article 30 of the GDPR has announced an obligation to keep a record of data processing with regard to the activities of the person responsible and the activities of the subcontractor. Basically, companies must now document all data processing as a form of demonstrating GDPR compliance. Read on to find out what this means for your data collection process, and how Didomi's solution can help you achieve swift and easy compliance. 

 

Summary: 

 

 

 

What is a record of processing activities?  

 

Regarded by the CNIL as "a real tool for managing your compliance with the GDPR", a record of processing activities is a means of documenting and analyzing all the personal data processed by a company.  

 

Article 30 of the GDPR imposes an obligation to keep a record of processing activities with regard to the activities of the data controller and the activities of the processor. In practice, in this case, the CNIL recommends that you keep 2 registers:

 

  • One for the processing of personal data for which you yourself are responsible;

  • Another for the processing that you, as a subcontractor, carry out on behalf of your customers.

 

The data controller and the processor must keep a detailed record of the processing operations carried out. They must also keep the records at the disposal of the supervisory authority (CNIL), who can access them on request. 

 

Who does this obligation apply to? The CNIL considers that it applies to all organizations that process personal data on a regular basis. 

 

Does this apply to you? Contact Didomi and we can help you set up a compliant method for creating these records. 

 

  Request a demo

 

What information should be included in a record of processing activities? 

 

The record must include all of the following information (some of which overlaps with the information that must be communicated to individuals) : 

 

  • The name and contact details of the data controller and, where appropriate, of the joint data controller, the representative of the data controller and the data protection officer ; 

  • The purposes of the data processing;

  • A description of the categories of data subjects and the categories of personal data;

  • The categories of recipients to whom the personal data have been or will be disclosed, including recipients in other countries or international organizations;

  • Where appropriate, transfers of personal data to a non-EU country or to an international organization, including the identification of that non-EU country or international organization ;

  • The time limits for the deletion of the different categories of data ;

  • To the maximum extent possible, a general description of the technical and organisational security measures (e.g. the means of ensuring confidentiality, the procedure for regularly testing, analysing and evaluating the effectiveness of the technical and organisational measures to ensure the security of the processing). 

 

How do I set up a record of processing activity? 

 

At Didomi, we have established a list to enable you to ensure compliance with the CNIL and article 30 of the GDPR. Here are all the necessary steps to create a compliant record of processing activity :

 

  1. Mapping the processing of personal data
  2. Mapping subcontractors and recipients
  3. Mapping data transfers outside the European Union 
  4. Verify data integrity and security
  5. Determine clear and legitimate purposes for treatments
  6. Set the rules for purging databases
  7. Set up a treatment registry

 

Want to check if your company is in compliance with CNIL and GDPR regulations? Organize a free demo with Didomi

 

  Request a demo

 

How the Didomi solution can help you 

 

Do you feel overwhelmed by multiple forms of data legislation? Didomi's record of processing activities tool allows you to establish your records in just a few clicks. Through the ability to create and edit records, you can have an insightful overview of the data processing carried out by your company. 

 

With this practical and easy to use solution, you are in compliance with the article 30 obligation and you can publish the processing you want on your Privacy Center to fulfill the information obligation. 

 

The tool includes customizable databases of treatments pre-approved by data protection authorities (such as the CNIL) and a simple and fast workflow for declaring and managing your treatments, suitable for beginners as well as advanced users. 

 

This tool is also a way to centralize all your documentation and to have an easily accessible and clear record of processing activities. It's a win-win situation! 

 

Want to implement this tool and guarantee compliance with the CNIL and the GDPR? Organize a demo with us. 

 

  Request a demo