Business.gov.nl uses cookies to improve the website. These functional and analytical cookies do not contain your personal data. Do you want to watch video content? Third parties may place tracking cookies to track your online behaviour. You can refuse these tracking cookies. How cookies are used on Business.gov.nl.

Logo Business.gov.nl, government information for entrepreneurs.
Home
Regulations

Drawing up a processing register

Published by:
Netherlands Enterprise Agency, RVO
2 min read
Nederlandse versie

On this page

Does your company process personal data? Such as storing, using, or sharing names, phone numbers, and addresses? Then you have to be able to demonstrate you comply with the General Data Protection Regulation (GDPR). This is called accountability. This means you may need to keep records of your processing activities in a processing register. The processing register contains information about the personal data you use.

When do you need a processing register?

Whether you should keep a processing register depends on the size of your company and the type of data you use:

  • Do you employ more than 250 staff? You must keep a register.
  • Do you employ fewer than 250 staff? You do not always need to keep a register.

In certain situations you need to have a register, even if you employ fewer than 250 people:

  • You regularly process personal data. This is the case in most organisations, for example, when processing personal data of employees or customers.
  • You process data that may pose a high risk for the rights and freedoms of the persons involved.
  • You process special categories of personal data (for example, data around health, religion, or political preferences), or criminal data.

If you are bound to keep a register, you should be able to show it whenever the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) asks for it.

Data controller and processor should keep processing register

Are you responsible for determining how and why the personal data are used? Then you are the data controller. You must keep a processing register.

Do you process personal data for another organisation? Then you are the data processor. You still have to keep a processing register.

What do you need to register?

It is up to you how you draw up the register. However, the following information should be included in the register regardless:

  • name and contact details of your company or your data controller
  • any other organisations involved in your data processing
  • the purposes of the data processing
  • who the Data Protection Officer (DPO) is in your organisation, if you have one
  • a description of the categories of people whose data you use, such as customers or employees
  • a description of the type of data you process
  • when you should delete the data
  • which organisations you share the data with and whether they are based inside or outside of the EEA
  • what you do to keep personal data safe

Examples

There are no standard templates for processing registers. It is up to you how you format the register. If you would like an example, you can contact your branch organisation, or check out an example on the KVK website.

Privacy declaration

If you process personal data, you have to inform people about your use of their data. You must let them know which data you collect, how you will use it, and why you need it. You can do so with a privacy statement.

This article is related to:

Administration
How would you rate this page?(question 1 of max 3)
We are sorry to hear that. How can we improve?(question 2 of 3)

Related articles

External links

Questions relating to this article?

Please contact the Dutch Data Protection AuthorityAsk other entrepreneurs for advice on Higherlevel.nl
To top
Keeping processing records | Business.gov.nl