Written by Daniel Felz
On May 25, 2018, the EU General Data Protection Regulation (GDPR) enters into force. One of the major changes the GDPR introduces is a duty for in-scope controllers and processors to maintain written records of processing activities. Under Article 30 GDPR, companies will need to inventory all “processing activities under [their] responsibility” and memorialize them in a written record setting forth, inter alia, the purposes of processing operations, international transfers, and retention periods. Companies must provide their processing records (sometimes informally referred to as a “processing inventory”) to EU data protection authorities (DPAs) upon request.
Last week, the DPA for the German state of Bavaria issued a circular discussing Article 30 GDPR’s new recordkeeping requirements. Many of the points the Bavarian DPA raised will not come as surprises to companies that have spent time getting to know the GDPR, such as:
- Article 30 GDPR introduces a major change: not just controllers, but also processors must maintain processing records and produce them to DPAs upon request;
- Company-maintained processing records will displace the present regime of DPA notifications for certain processing operations and transfers;
- Companies operating in Germany are already generally obligated to maintain an “index of processing activities” (Verfahrensverzeichnis), which can serve as a basis for generating GDPR processing records;
- Failure to maintain processing records is subject to fines of € 10 million or 2% of worldwide annual turnover, as is the failure to produce processing records to DPAs upon request.
One question many companies are asking is “How detailed do our processing records need to be?” The Bavarian DPA indicates it also sees this question as “intriguing,” especially since Article 30(1)(g) and 30(2)(d) only require a “general description” of a company’s technical and organizational information security measures “where possible.”
To help controllers and processors meet their recordkeeping obligations, the Bavarian DPA announced that the 17 German DPAs have formed a working group that will develop a Model Processing Operations Index for Article 30 compliance. Currently, the German DPAs plan to release the Model Processing Operations Index in mid-2017.
The detail provided in the Model Index should be an invaluable resource for companies with operations or customers in Germany, and may set the tone for what DPAs throughout the EU expect under Article 30 GDPR. Moreover, while Article 30 GDPR specifies the categories of information processing records must include, it does not specify format—and the Model Index may be the first DPA indication as to acceptable formats for Article 30 records.
* * * * *
Alston & Bird is closely following the Model Processing Operations Index as well as other important data-protection developments in Germany. For more information, contact David Keating, Jim Harvey, or Jan Dhont.