Does your company process personal data? This includes storing, using or sharing names, phone numbers, and addresses. You have to be able to show you comply with the General Data Protection Regulation (AVG). This is called accountability. This means you may need to keep records of your processing activities (processing register).
Rules around the processing register
The processing register contains information about the personal data you use. Whether you should keep a processing register depends on the size of your company and the type of data you use:
- Do you employ more than 250 staff? You have to keep a register.
- Do you employ fewer than 250 staff? You do not need to keep a register.
In certain situations you need to have a register, even if you employ fewer than 250 people:
- You regularly process personal data (this will be the case for most organisations).
- You process data that can pose risks for the rights and freedoms of the persons involved.
- You process special personal data (data around health, religion, political preferences, or criminal records).
If you are bound to keep a register, you should be able to show it whenever the Dutch DPA (Data Protection Authority) (Autoriteit Persoonsgegevens, AP) asks for it.
Processing party should also keep processing register
Do you process personal data for another organisation (the processor)? And are you not responsible for determining how and why the personal data are used (the controller)? You still have to keep a processing register (in Dutch).
What to register
It is up to you how you draw up the register. However, the following information should be included in the register regardless:
- name and contact details of your company
- any other organisations involved in your data processing
- the purposes of the data processing
- who is the data protection officer in your organisation (if you have one)
- a description of the people whose data you use
- a description of the type of data
- the date on which you should delete the data (if known)
- which organisations you share the data with and if they are based inside or outside of the EU
- what you do to keep personal data safe
There are no standard templates for processing registers. It is up to you how you format the register. If you would like an example, you can contact your branch organisation.
If you process personal data, you are also obliged to inform people about your use of their data. You should let them know which data you collect and how you will use it. You can do so by including a privacy statement on your website.