11 Sep The GDPR and the record of processed activities
The new General Data Protection Regulation (“GDPR”) will enter into force as of 25 May 2018. This new regulations brings numerous changes directly applicable in Belgian law. Companies are subject to important obligations in order to be transparent and enhance protection of personal data. Do not wait too long until you start implementing compliance procedures.
In order to comply with the principle of accountability, one of the new requirement set by the GDPR is the obligation to keep a record of processing activities. All companies and organizations which process personal data are at the moment obliged (unless certain exemptions) to submit a prior notification at the Belgian Commission for the protection of privacy. On 25 May 2018, this mandatory prior notification will be suppressed, but companies will then have to maintain a record,, which should be at the disposal of the Commission upon request.
This obligation is imposed on the data controller but also upon the data processor, which is new. The scope of the GDPR is thus broader and a lot of companies are now affected. All companies working in the IT sector are now likely to be concerned but not only : practically any company which processes personal data, be it only for managing their business and employees, are also impacted.
Practically, the record must contain information on all processing activities carried out : the purpose of processing activities, the categories of data subjects and personal data, the data recipients, the envisaged time limits for erasure of the different categories of data, a description of the security measures, the place where data is kept/transferred…
In June 2017, Belgium’s Commission for the protection of privacy has issued a recommendation to issue guidance on the record of processing activities. Violation of the obligation to keep a record may lead to administrative fines up to EUR 10.000.000 or 2% of the total worldwide annual turnover of the company, whichever is higher. The full text of the recommendation is available in French and Dutch on the website of the Commission.
One way or another, you are probably affected by the new regulation. The Cairn Legal team has set up a program and developed tools in order to support your compliance implementation. Do not hesitate to contact Guillaume RUE (Guillaume.email@example.com) for more information.
The Cairn Legal team.
Partners Frédéric de Patoul | Pierre Philippe Harmel | Frank Weinand | Didier Chaval | Bernard Vandenkerckhove | Carl Vander Espt | Guillaume Rue
Associates Dorothée Cardon de Lichtbuer | Julie Docquier | Virginie Schoonheyt | Bojana Salovic | Bertrand Margraff | Frédéric Paque