In just under 100 days, the EU General Data Protection Regulation (GDPR) enters into force. One of the major changes the GDPR introduces is a duty for in-scope controllers and processors to maintain written records of their processing activities. Under Article 30 GDPR, companies will need to inventory all “processing activities under [their] responsibility” and memorialize them in a written record setting forth, inter alia, the purposes of processing operations, international transfers, and retention periods.
Article 30 GDPR thus creates a new kind of documentation obligation. This obligation is not just new for US companies – to date, most EU states have not mandated that companies maintain internal records of how they process personal data. (Instead, notifications to Data Protection Authorities (DPAs) have often served the function of memorializing organizations’ key processing activities.) The only EU member state with a comparable requirement to Article 30 GDPR has been Germany, which has required companies to maintain a written “overview” of processing activities. But even in Germany, it is difficult to determine how many companies fully complied with this obligation (as a more prominent example, an audit of Germany’s State Department discovered that it had not created the mandated records of its processing activities, resulting in a reprimand from Germany’s Federal DPA).
Given the novelty of the GDPR’s requirements, companies expressed keen interest when, back in summer of 2016, the German DPAs announced they would be publishing a “Model Processing Operations Index” to orient companies’ Article 30 compliance. As of last week, this Model Index has arrived.
These Article 30 “Model Processing Records” have been published by Germany’s Conference of Independent Federal and State Data Protection Authorities, commonly referred to as the DSK or “Datenschutzkonferenz” (Data Protection Conference). The DSK is composed of Germany’s Federal DPA as well as all 17 state-run DPAs responsible for private-sector and public-sector controllers. As a result, the Model Processing Records have been reviewed by representatives of all German DPAs.
The DSK has provided two Model Processing Records: (1) a Model Processing Record for Controllers, and (2) a Model Processing Record for Processors. Although these documents are currently only available in German, we are offering non-official convenience translations here (click to download):
German versions of the Model Processing Records can be accessed from the website of the DPA of Sachsen-Anhalt here.
Regarding the Controller Model Processing Record:
It appears that the German DPAs are recommending controllers take an activity-by-activity approach to indexing and memorializing their processing activities. The Controller Model Processing Record consists of 2 parts: (1) a cover page containing information relating to the controller, its Data Protection Officer, and any joint controllers, and (2) a template two-page detail sheet in which a specific processing activity is identified, and the relevant details about it required under Article 30(1) GDPR are provided. The detail sheet should be repeated for all additional distinct processing activities that occur within the company.
Companies who have conducted or begun the exercise of identifying their processing activities know that it can be complex. A company’s data uses can be summarized at a very high level, which provides little useful information for those outside the company. At the same time, a company’s data uses can be broken down so minutely that there are thousands of processing activities, and the information in the company’s processing records is again not very useful to those beyond the company. Finding the appropriate ‘level’ at which to identify processing activities can require significant discussions with relevant stakeholders and iteration. Often, distinct processing activities can be tied to the purposes for which data is used. Some sample “activities” that have been common fixtures of processing notifications to DPAs include: (a) HR administration / personnel management; (b) customer relationship management; (c) financial accounting; and (d) archiving.
Regarding the Processor Model Processing Record:
The DSK appears to be recommending that processors index and memorialize their processing activities on a controller-by-controller (or customer-by-customer) basis. In other words, the processor would (a) identify a controller on whose behalf it processes data, (b) describe the processing activities it conducts for the controller, then (c) provide the additional details required by Article 30(2) GDPR. This approach would be repeated for each additional controller/customer on whose behalf the processor processes personal data. While this approach may in theory appear more straightforward than its controller cousin, it can nonetheless again require a complex and iterative process for service providers that have a significant number of customers.
In parallel with providing these Model Processing Records, the DSK has also released Guidelines for Article 30 Processing Records (available in German here). The Guidelines contain useful information as to how German DPAs expect Article 30 records to appear under the GDPR:
• Language: German DPAs will expect Article 30 processing records to be produced to them in German. While this does not mean the records need to be maintained in German, it does mean that resources must be available to make sure they can be translated quickly.
• Cross-References to other Internal Documents: Article 30 processing records can reference a company’s other internal policies and documentation. For example, Article 30(1)(2)(f) requires controllers to specify the retention periods for the categories of personal data it holds. If a company has a comprehensive Retention Policy and Retention Schedule, the Article 30 processing record could simply reference the Retention Schedule, instead of recapitulating it in detail.
• List of Internal Policy Documents Recommended: The German DPAs recommend including in the Article 30 processing record a reference list of a company’s policy-level documents relating to data protection or security. This could include, for example: (a) enterprise-level privacy policy; (b) information security policy; (c) incident response plan; (d) certifications regarding privacy or security. To the extent that specific processing activities were subject to a prior assessment, the DSK also recommends including (e) the results of data protection impact assessments.
• Change Log: German DPAs will expect Article 30 processing records to have a change log that permits them to ascertain what changes were made by whom, and when.
As a final note, companies who have begun comprehensively cataloging their data flows or IT assets to serve as the basis for Article 30 processing records should not stop simply because the DSK’s Model Processing Records may not require flow-level or application-level detail. A DPA’s request for Article 30 records can be the first step in a larger inquiry, and the follow-up to “May we see your Article 30 records” can require detailed knowledge of all IT assets and data flows underlying, e.g., customer data uses.
* * * *
Alston & Bird and its Brussels-based EU Privacy Team is closely following GDPR implementation in the EU Member States – including Germany. For more information, contact Jim Harvey, David Keating or Daniel Felz.