Expert Advice Community

Guest

Documentation of processing activities

  Quote
Guest
Guest user Created:   Jan 03, 2018 Last commented:   Jan 03, 2018

Documentation of processing activities

I am taking a look at the “Documentation of processing activities” at the moment. The requirements seem quite clear, what I am not entirely clear about is the way, we can get receive e.g. the sign-off from our (very many) data controllers, their DPO data, confirmation of data processing agreement etc. Does all of this need to be written (on paper)? Are digital forms acceptable? What digital forms are good? ParentPay have about 9000 customers, all of which are data controllers, and who we process data for. Would it be sufficient to ask them to “tick a box” in an online form, and confirm who their DPO is? Or does that process need to be somewhat more robust? Would we need to apply a form of proof of identity before accepting their submission?
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Andrei Hanganu Jan 03, 2018

Answer:

As I understood from your query the company you are representing is mainly acting as a data processor on behalf of various controllers. This means that you should have contracts or other binding documents in place with the controllers with specific data protection clauses (or Data Processing A greements). Most of the information you need to fill in the Inventory of Processing Activities (the processor sheet) should be found in the documents mentioned above, documents that are signed by both controller and processor. Since you will use the information within these signed documents you don`t need any sign off from the controllers.

Also notice that EU GDPR article 30 requirements relate to the accountability obligation of controllers and processor as well and it is meant to abolish the need to notify data processing activities to a local supervisory authority (albeit not actually file those records with the supervisory authority) thus you need to prove that you comply with these obligations to the Supervisory Authorities and fail to comply would lead to your company being sanctioned and not the controller. This would make the sing off from the controllers useless both from your or your controllers point of view.

As on how to organize the Inventory of Processing Activities, this is up to you and the company you represent depending on the business you are running and the sheer number of controllers. I would suggest either having an inventory for each controller or, if you perform the exact processing activities for multiple controllers, you could have one inventory for such groups.

Article 30 (3) of the EU GDPR ( https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/) mentions that the inventory “shall be in writing, including in electronic form”, so both electronic or paper forms are allowed. We decided to go in our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ with the .excel format since is a widely used format accessible to most companies.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 03, 2018

Jan 03, 2018

Suggested Topics

Dana Created:   Jan 22, 2023 EU GDPR
Replies: 1
0 0

Controller and Processor

wasima Created:   Jan 22, 2023 EU GDPR
Replies: 1
0 0

Data subject Rights

Guest user Created:   Jan 19, 2023 EU GDPR
Replies: 1
0 0

GDPR in Sweden