From 25. May 2018, it is mandatory to apply the new European General Data Protection Regulations (GDPR), which imposes regulatory and registry-maintaining obligations on data controllers.

According to Article 30 of the GDPR, data controllers have to keep records of their data processing activities. This issue is addressed in several NAIH (Nemzeti Adatvédelmi és Információszabadság Hatóság – Hungarian National Authority for Data Protection and Freedom of Information) resolutions.

1. Regulatory obligations 

It is important to emphasize that, although the GDPR does not explicitly impose a regulatory obligation on data controllers, all data controllers shall determine what kind of technical and organizational measures are needed to be implemented to ensure and demonstrate compliance with GDPR. Remember that it is always the data controller who has to prove compliance with GDPR in case of a dispute. (For further reference, check our other article in the topic, “Lawful bases of data processing”) 

Of course, making company policies are not enough as data controllers must take all measures to

(i) keep the amount of data they process to the minimum,

(ii) alias the data as soon as possible,

(iii) ensure transparency between data functions and data processing activities, and (iv) guarantee that the data subject is able to track the whole data processing activity.

The requirement of taking all these measures implies that data controllers shall examine the general practice, circumstance, purpose and possible risks of their data processing activity. Once these are examined, it is possible to determine the pool of regulations and policies the data controller has to implement in connection with his data processing activity.

With particular regard to the requirement to demonstrate compliance to GDPR and the processing of personal data of employees or customers, it can be stated that there are only a few cases (mostly smaller data controllers with only a few personal data processing activities) where it is not necessary to create any regulations for the data processing activities.

According to Recital 39 of the GDPR, an important aspect while drafting the regulations is the clear way of their wording. The principle of transparency requires that information and communication relating to the processing of personal data be easily accessible and comprehensible, therefore it shall be written in a clear and simple language. This principle especially applies to informing data subjects about

(i) the identity of the data controller,

(ii) the purpose of data processing,

(iii) the way a fair and transparent data processing is ensured,

(iv) their right to be informed about the personal data processed.

Furthermore, in addition to drafting the policies, their content shall be introduced to all those concerned (including employees, customers) before their personal data are handed over to the data controller.

2. Maintaining a registry of data processing activities 

Regarding the obligation (under Article 30 of the GDPR) to maintain a general registry about all data processing activities, it should be emphasized that the pool of exceptions to this obligation is very narrow, even if the company in question employs less than 250 people.

Because even in this case, if the data processing is likely to involve risk, sensitive data or is continuous, it is obligatory to compile and maintain the registry with the content prescribed in Article 30 of the GDPR.

Exemption is granted from this obligation for example, if the data processing is not continuous, rather occasional, ad hoc. Based on the current legal interpretation and practice, very few companies can meet this condition, because even if they process the data of one employee, it is no longer considered to be occasional, so maintaining the registry is mandatory.

Based on the Article 30 (1) (d) of the GDPR, a mandatory element of this registry is the categories of recipients with whom the personal data are or will be shared. According to Article 4 (9) of the GDPR, public authorities, which require you to share personal data, are also considered to be recipients.

If we take on the example of having only one employee, it is still required to indicate that the personal data of this employee (necessary for payroll accounting) are shared with the authority/court. It is typical that an accounting firm files documents at authorities concerning the employee (so the firm forwards the personal data) therefore this firm is required to be included to our registry among the recipients of personal data. Furthermore, based on our example, the accounting firm is considered a data processor, so it is recommended to sign a separate data processing contract with them.

It is important that the regulations/outlines/records/registries are required to be created and maintained separately for each individual data processing activity, because the personal data of an employee may not only be used in relation with payroll accounting, but also in relation with an alarm system, GPS, camera system, parking lot assignments, company-owned equipment or trainings. Additionally there are other data subjects in the everyday life of a company besides the employees (such as partners, job applicants, newsletter recipients etc.) who also need their separately created and maintained registries for each of the related data processing activities.

Note, that full compliance with the GDPR can only be achieved with a detailed and in-depth preliminary examination of all of our data processing activities.