What is a Register of Processing Activities and why do you need to have one?
Keeping a register of processing activities (hereinafter “RoPA”) can be considered one of the most important requirements arising from the General Data Protection Regulation (hereinafter “GDPR”). Thus, its preparation is one of the first actions to be carried out in order to comply with the GDPR.
What is the Register of Processing Activities?
The RoPA is an internal document whose purpose is to serve as a guide within the organization that manages it for compliance with the regulation. In other words, it must be a map or photo that exhaustively reflects the data processing activities of its owner.
A RoPA must at lease contain the following:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures. In this respect, the Spanish Data Protection Authority (hereinafter, the “AEPD”) has clarified that the absence of determination of these measures is only justified if the impossibility of foreseeing them is duly explained.
However, this content varies slightly if the author is the data processor of the information.
In addition to the minimum information required, the RoPA may include other information that the controller or processor deems appropriate to protect the rights and freedoms of natural persons.
Thus, the Spanish Data Protection Agency has stated that the RoPA could include aspects that facilitate the effective application of proactive responsibility, such as: “an analysis of risks to the rights and freedoms affected, a systematic description of the processing, the information systems on which it relies, a description of the identity of the data processors, the safeguards foreseen for carrying out international data transfers, contact information of the persons or departments of the organisation involved in the processing operations, etc.”.
Why is it important to have a RoPA?
Drafting a RoPA forces data controllers and processors to carry out a prior analysis of the processing operations they are going to carry out in the course of their activities. This being so, and as GDPR sets forth in its recital 82, the RoPA serves as a means of proof to demonstrate compliance with privacy obligations before the AEPD
Who should have a RoPA?
The current regulations indicate that organisations employing less than 250 workers are exempt from setting up this register. However, those that carry out processing that may entail a risk to the rights and freedoms of data subjects, processing that is not occasional or includes special categories of data or data relating to criminal convictions and offences must have a RoPA regardless of the number of employees.
What happens if I don’t have a RoPA ?
Pursuant to article 73. n) of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights and art. 83.4.a of the GDPR, not having a RoPA when necessary is a serious infringement and, consequently, the infringing entity may be sanctioned with fines of up to €10 million or 2% of the company’s global turnover.
In this respect, it should be noted that keeping an RoPA is not a one-off exercise, but the information included in it should reflect the current situation with regard to the processing of personal data. The register should therefore be treated as a living document. In other words, periodic reviews of the information processed should be carried out to ensure that the information contained therein is complete, correct and up to date.
AEPD takes compliance with the obligations associated to the RoPA very seriously. This being so, and by way of example, it is worth noting the recent sanction imposed by the AEPD on BURWEBS S.L., among other reasons, for maintaining an incomplete and outdated ARP.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.
More from my site
The new wording of double taxation agreement with the United States increases investment in Spain
Reputation Isn’t Everything – Or Is It?
Draft Report on the Implementation of Cookies
Spanish Data Protection rules on requesting the Identity Card for the habeas data
The CNMC opens a public consultation on the prohibition of companies from contracting with the administration for distorting competition
Online age verification