Does your company process personal data? This includes storing, using or sharing names, phone numbers and addresses. You have to be able to show you comply with the General Data Protection Regulation (AVG). This means you may need to keep a processing register.
Rules around the processing register
The processing register contains information about the personal data you use. Whether you should keep a processing register depends on the size of your company and the type of data you use:
- Do you employ more than 250 staff? You should keep a register.
- Do you employ fewer than 250 staff? You do not need to keep a register.;
In certain situations you need to have a register even if you employ fewer than 250 people:
- You regularly process personal data (this will be the case for most organisations).
- You process data that can pose risks for the rights and freedoms of the persons involved.
- You process special personal data (data around health, religion, political preferences or criminal records).
If you are bound to keep a register, you should be able to show it whenever the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) asks for it.
What to register
It is up to you how you draw up the register. However, the following information should be included in the register regardless:
- Name and contact details of your company
- Any other organisations involved in your data processing
- The aim of the data processing
- A description of the people whose data you use
- A description of the type of data
- The date on which you should delete the data (if known)
- Which organisations you share the data with and if they are based inside or outside of the EU
- What you do to keep personal data safe
There are no standard templates for processing registers. It is up to you how you format the register. If you would like an example, you can contact your branch organisation.
Is your organisation not in charge of why and how personal data is used? If you process data for another organisation you also need to keep a processing register.
If you process personal data, you are also obliged to inform people about your use of their data. You should let them know which data you collect and how you will use it. You can do so by including a privacy statement on your website.