In the GDPR, the register of processing activities is described in Article 30.
Each controller and, where applicable, the controller’s representative, shall maintain a record of processing
activities under its responsibility. That record shall contain all of the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data; L 119/50 EN Official Journal of the European Union 4.5.2016
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
On 28 November 2018, the Dutch Data Protection Authority made five concrete recommendations following an exploratory survey of thirty large organizations from ten private sectors.
- State how long and for what purpose you want to keep your personal data. Under European privacy legislation, it is not allowed to store personal data longer than necessary for the purpose with which they were collected. Organizations must also be able to motivate why they collect this data.
- Include the contact details of the controller in the register.
- Provide a well-organized file of all processing of personal data in which users can easily navigate.
- State clearly in which location or in which file personal data are stored and include these locations or files in the register. This information is relevant when people submit a request for access or deletion.
- Make clear which goal belongs to which processing. Only an enumeration of the processing per department in combination with a summary of the various purposes of the processing is not sufficient.