Il registo delle attività per l'EDPB nelle linee guida per le PMI

Obligation to keep records of data processing

As an organisation, you have a duty to keep a record of your data processing activities. These records should be kept in writing, including in electronic form.

This record gives you an overview of your processing activities. In order to create such a record, you should identify which of your activities require processing of personal data (examples include recruitment, payroll management, training, badge and access management, list of prospective customers, etc.). Each of these processing operations must be described in the record with the following information:

•     the purpose of the processing (e.g. customer loyalty);
•     the categories of data processed (e.g. for payroll: name, first name, date of birth, salary, etc.);
•     who has access to the data (the recipients – e.g.: the department in charge of recruitment, the IT service, management, service providers, partners...);
•     where applicable, information related to transfers of personal data outside the European Economic Area (EEA);
•     where possible, the storage period (the period for which the data are useful from an operational point of view, and from an archiving perspective);
•     where possible, a general description of the security measures.

The record of processing activities falls under the responsibility of your organisation’s manager. This record must be available to the data protection authority of the EEA country where you operate, if requested.

It is not required for organisations employing fewer than 250 persons to mention purely occasional activities in their record (e.g. data processed for one-off events such as the opening of a shop.