The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) basically regulates how personal data should be lawfully processed (including how it’s collected, used, protected or interacted with in general). It is intended to strengthen data protection for all people whose personal information fall within its scope of application, putting personal data control back into their hands.
The aforementioned can, however, be a technical challenge to implement in practical terms. This is especially true for your register of data processing activities. Users must be able to describe which data they collect, for which purposes, the parties involved and some other details for the entire company, including data of employees.
If you are looking for further background information on the GDPR please have a look at our extensive GDPR guide.
This guide is meant to guide you step by step through our Register of Data Processing Activities.
Please note: Even though the GDPR is a common reason to put more effort into your register of data processing activities, our tool is not exclusively made for application under the GDPR. It can also be used for all your data processing activities in general, even by companies who do not have any users/customers within the EU.
Keep reading or view the full tutorial.
The GDPR requires both controllers and processors to keep a record of processing activities. Such records need to be in writing, including in electronic form. The Register of Data Processing Activities was specifically designed for controllers and processors to meet this requirement.
The record (also called “register”) of processing activities needs to be made available to the supervisory authority if requested.
Enterprises or organizations that employ less than 250 persons are exempted from this requirement.
👉 However, if you employ less than 250 persons but match one of the following, you are required to fulfill this requirement of the GDPR:
Areas are perimeters within which data processing activities are homogeneous. Examples of areas are your website, mobile app, physical stores, employees, recruiting, manufacturing facility etc. For each, you can provide a description of how data is being processed, just like you are doing probably already with our privacy policy generator or the terms of service generator for any given site. In short, areas are replications of the ‘site’ entity that are connected to each other, that you can create at will.
At the account level you’re able to add members, who can then be associated with a particular role (such as “controller”, “processor etc.) or a specific area.
When associating, you can choose what role the member has within the following options:
For example, an internet company may collect user information via their website and store it using a 3rd party cloud service. In this scenario, the internet company is the data controller and the organization running the cloud service is the data processor.
You can think of it as basically an address book. All current owners are members too.
Please be aware: The defaults that you put in the area members section are then applied by default to each service.
The following members are available by default:
Your privacy policy needs to be adapted to your site’s or app’s data collection practices. You do that by adding a service.
Services generally fall into two categories:
When figuring out which basic services to add to your policy, it may help to ask yourself the following questions:
In the following section, we will go through the new fields that we have released to facilitate your register of data processing activities (you can find these fields in the customization window that shows up when you add a service). This will be done step by step in order to assist you in choosing the right option for your personal situation.
Those 2 fields are simply for your convenience to be able to describe the given service. An example for a label could be “DE data center” and the corresponding description could be “Frankfurt data center”.
This is a field that only applies to some services where you can specify if you are keeping data in the EU. A good example of this is “Amazon Web services” (often abbreviated as “AWS”).
A field that only some services have, that allows you to specify the personal data type collected through that service.
Under the GDPR, data can only be processed if there’s at least one lawful basis for doing so.
The lawful bases are:
In our tool you can select from the following options:
This only applies when you are transferring data outside of the EU so please choose accordingly.
You can choose between the following options:
Controller
Means any person or legal entity involved in determining the purpose and ways of processing the personal data.
Processors
Means any person or legal entity involved in processing personal data on behalf of the controller.
Members of the controller organization
A common example for this are the employees of the given company/organization.
Subjects
Can be for example either the users of the given website or app, visitors of a physical store or paying clients.
Under normal circumstances, matters that have “consent” as the legal basis for processing, need to have all of the rights selected. Our solution offers you the following options:
This field refers to how long data is being stored. The default option is “keeping the data for the time necessary to fulfill the purpose” and should apply to most cases. Otherwise, you can choose from a period of 1 up to 5 years.
Common examples here are the used encryption method or vulnerability assessments/penetration tests meaning that your technical systems should be tested periodically in order to evaluate the safety and resilience of your systems.
Another important measure is the so-called “backup and storage of backup media” which means that it is advisable to keep the backup media in a dedicated place accessible only to the personnel in charge. The safety of the place should be verified at least annually.
It is also recommended to install and maintain a firewall. It is advisable to review the current configurations, manage permissions for system users, check that the system is up to date and finally proceed with the installation on portable devices. Having a firewall in place is however obviously nothing new in relation to the GDPR and should be regarded as a minimum security measure already provided for by current standards.
From the tool you will be able to choose from the following options:
To thoroughly describe the processing as required under the GDPR, you must be very granular in describing your data collection practices. A common scenario is that of a website having multiple contact forms, where each form is aimed at different individuals or for which the data is shared with different parties. Another example is having two different newsletters for different user-groups or customers.
Our Register of Data Processing Activities tool therefore allows you to add different versions of the same service.
Let’s now go through a range of specific examples to make the above information more practical including our “alternate options”:
Example Inc. adds a site area and configures the privacy policy, cookie policy, privacy controls and cookie solution, and the terms of service.
For the privacy policy, the following is done:
members: Here we set the global members for each role that is valid for the entire area. Members can also be specified on a per-service basis.
controller: Example Inc. (the owner)
members of the controller organization: employees
processors:
subjects: users of the site
name: Example Inc.
label: DE data center
description: Frankfurt data center
region: EU
legal basis for processing: contract
those who process the personal data: owner, employees (those who have been set at the site level)
subjects: users of the website
legal basis for data transfer: no data transfer
available rights: none (since it would not be possible to provide the service if they object to processing from Example Inc.)
retention policy: keeping the data for the time necessary to fulfill the purpose (default option)
security measures: tbd
label: NL data center
description: Amsterdam data center
region: EU
legal basis for processing: contract
those who process the personal data: owner, employees (those who have been set at the site level)
subjects: users of the website
legal basis for data transfer: no data transfer
available rights: none (since it would not be possible to provide the service if they object to processing from Example Inc.)
retention policy: keeping the data for the time necessary to fulfill the purpose (default option)
security measures: tbd
(if you do not use google analytics on your website or app you can simply insert another analytics tool here)
name: Google Analytics
label: Google Analytics
description: Google Analytics tracking tool
legal basis for processing: consent
those who process the personal data: owner, employees (of the given company)
subjects: users of the website
legal basis for data transfer: consent
available rights: information, access, rectification, erasure, restrict processing, data portability, object
retention policy: keeping the data for the time necessary to fulfill the purpose (default option)
name: mailing and newsletter
label: main newsletter (remember that you can have more than one newsletter or mailing list)
description: main newsletter mailing list
custom personal data: email
legal basis for processing: consent
those who process the personal data: owner, employees (of the given company)
subjects: users of the website
legalbasis for data transfer: no data transfer
available rights: information, access, rectification, erasure, restrict processing, data portability, object
retention policy: keeping the data for the time necessary to fulfill the purpose (default option)
label: main drip (referring to drip campaigns and not the standard newsletter)
description: drip campaigns
custom personal data: email
legal basis for processing: consent
those who process the personal data: owner, employees
subjects: users of the website
legal basis for data transfer: no data transfer
available rights: information, access, rectification, erasure, restrict processing, data portability, object
retention policy: keeping the data for the time necessary to fulfill the purpose (default option)
security measures: tbd
label: secondary product newsletter
description: “”
custom personal data: email
legal basis for processing: consent
those who process the personal data: owner, employees
subjects: users of the website
legal basis for data transfer: no data transfer
available rights: information, access, rectification, erasure, restrict processing, data portability, object
retention policy: keeping the data for the time necessary to fulfill the purpose (default option)
security measures: tbd
label: secondary product drip
description: “”
custom personal data:e mail
legal basis for processing: consent
those who process the personal data: owner, employees
subjects: users of the website
legal basis for data transfer: no data transfer
available rights: information, access, rectification, erasure, restrict processing, data portability, object
retention policy: keeping the data for the time necessary to fulfill the purpose (default option)
security measures: tbd
label: Affiliates newsletter
description: Newsletter for the affiliates
custom personal data: email
legal basis for processing: consent
those who process the personal data: owner, employees, agency x (who is managing the affiliate campaigns)
subjects: users of the website
lgal basis for data transfer: no data transfer
available rights: information, access, rectification, erasure, restrict processing, data portability, object
retention policy: keeping the data for the time necessary to fulfill the purpose (default option)
security measures: tbd
name: referral candy
label: main Referral Candy account
description: “”
legal basis for processing: consent
those who process the personal data: owner, employees, agency x (who is managing the affiliate campaigns)
subjects: users of the website
legal basis for data transfer: consent
available rights: information, access, rectification, erasure, restrict processing, data portability, object
retention policy: keeping the data for the time necessary to fulfill the purpose (default option)
security measures: tbd
label: Referral Candy account for secondary product
description: “”
legal basis for processing: consent
those who process the personal data: owner, employees, agency x (who is managing the affiliate campaigns)
subjects: users of the website
legal basis for data transfer: consent
available rights: information, access, rectification, erasure, restrict processing, data portability, object
retention policy: keeping the data for the time necessary to fulfill the purpose (default option)
security measures: tbd
The user adds a custom area and calls it “employees”, to describe the personal data it processes of employees and the purposes.
members:
controller: Example Inc. (the owner)
members of the controller organization: HR department
processors: Mr X, Mr Y
subjects: employees, consultants
name: payroll elaboration
legal basis for processing: legal obligation
those who process the personal data: owner, employees, HR department, Mr X, Mr Y
subjects: employees, consultants
legal basis for data transfer: no data transfer
available rights: none
retention policy: keeping the data for the time necessary to fulfill the purpose (default option)
security measures: tbd
name: “Timely” (employee time tracking software)
legal basis for processing: contract
those who process the personal data: owner, employees, HR department, Mr X, Mr Y
subjects: employees, consultants
legal basis for data transfer: consent
available rights: none
retention policy: keeping the data for the time necessary to fulfill the purpose (default option)
security measures: tbd
The user adds a custom area and calls it “job interview”, to describe the personal data he uses of candidates and the purposes.
members:
controller: Example Inc. (the owner)
members of the controller organization: employees, HR department
processors:
subjects: job candidates
name: candidate evaluation
legal basis for processing: consent
those who process the personal data: owner, employees, HR department
subjects: candidates
legal basis for data transfer: no data transfer
available rights: none
retention policy: keeping the data for the time necessary to fulfill the purpose (default option)
security measures: tbd