Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Data Protection & Cyber Security
Formally speaking, Russian law does not specify the roles of a PII owner and processor. Instead, there are notions of a data controller (i.e. entity determining the purposes and terms of processing) and a person carrying out processing of PII upon assignment and on behalf of the data controller. In essence, the notion of such person corresponds to the meaning of a data processor under EU regulations.
Under Russian laws, there is no direct obligation of controllers and processors to maintain consolidated records of processing activities as they are prescribed to do in accordance with the European laws.
In the meantime, Russian laws require the controllers to implement a number of internal policies and maintain certain records in order to ensure accountability of data processing activities. Such policies and records include:
- List/Records of PII Information Systems: the document accumulating and systematizing the information about the controller’s automated and non-automated PII systems;
- PII List/Records: the document accumulating and systematizing the information on the categories of data subjects and their PII processed by the controller along with purposes, legal grounds, and terms of PII processing.
- List/Records of Individuals Authorized to Access the PII to Perform Their Job Duties: the document specifying the categories of data subjects and their PII along with job titles of controller’s employees authorized to access such data to perform their job duties.
The Data Protection Law does not include a specific obligation to maintain internal records or establish internal policies. However, owners and processors of personal data must comply with certain obligations in connection with data security and confidentiality (see question 16).
Both the controller and the operator must keep records of the personal data processing operations they carry out, especially when based on legitimate interest. Also, it is highly recommendable to the controllers and operators to have an updated data mapping, to present a Data Protection Impact Assessment (DPIA) whenever required.
The obligations under Article 30 GPDR pursuant to which data controllers and data processors are obliged to keep and regularly update record of all their data processing activities, are fully applicable. So are GDPR requirements of Article 24, 29 and 32 relating to the obligation of data controllers and data processors to introduce appropriate technical and organization measures for data protection and to implement respective internal rules/ instructions.
Additionally to the above requirements, the PDPA introduces the following rules:
- Pursuant to Article 25i PDPA, the employer, acting in the capacity of data controller, is held to implement comprehensive rules and procedures, and to inform the employees accordingly, in case the following practices are implemented within the employer’s organization:
- whistleblowing systems;
- restrictions on the use of business resources;
- systems for access control and of control of the working time and the work discipline.
These rules and procedures should contain provisions on the scope, the responsibilities and the methods used for imposing the above practices. The documents should be established taking into account the business activity of the employer and should not restrict data subjects’ rights.
In addition, data controllers and data processors are required to adopt and apply rules which introduce appropriate technical and organizational measures to protect the rights and freedoms of data subjects in case of large-scale processing of personal data or of systematically large-scale surveillance of publicly accessible areas, including through CCTV. The rules for systematically large-scale surveillance of publicly accessible areas should contain the legal bases and purposes of the processing, the territorial scope of the surveillance and the means of the monitoring, the records’ storage period and deletion, the right of access of the monitored persons, as well as restrictions on the access to the information by third parties, and should inform the public on the surveillance carried out (Article 25e PDPA).
Since the above requirements were introduced into national legislation recently (following the promulgation of the new Bulgarian PDPA of end February 2019), there are no clearly established business practices demonstrating how businesses typically meet it. In general, a set of written documents - registers (records) and internal rules, have to be in place and regularly updated.
Maintenance of Records
There is no explicit requirement to maintain records of the data processing activities in the current FADP. Art. 11a para. 5 lit. e FADP sets out that the internal data protection officer, if one is appointed at all, must maintain a list of data files. This obligation is, however, not comparable with the requirement to record all data processing activities as set out in the GDPR.
Notwithstanding the above, art. 10 of the Ordinance to the FADP requires for the automated processing of sensitive personal data and personality profiles the maintenance of records. Art. 10 sets out as follows: "the controller of the data file shall maintain a record of the automated processing of sensitive personal data or personality profiles if preventive measures cannot ensure data protection. Records are necessary in particular if it would not otherwise be possible to determine subsequently whether data has been processed for the purposes for which it was collected or disclosed."
Internal Processes and Written Documentation
FADP does not explicitly require the implementation of internal processes and written documentation. However, such obligations arise implicitly from other obligations set out in the FADP. The access right as set out in art. 8 et seq. FADP requires certain internal processes in order to comply with access requests timely. Furthermore, it requires written documentation for compliance and evidence purposes. The same applies to deletion or correction requests. As the FDPIC requires in certain constellations the notification of data breaches, an internal process and a written documentation is also recommended in that regard.
Finally, art. 7 FADP sets out in an general way that personal data must be protected against unauthorised processing through adequate technical and organisational measures. The appropriate technical and organizational measures must be documented in writing and may include the establishment of internal processes and policies. This is explicitly mentioned in art. 11 of the Ordinance to the FADP, where data controllers are required to establish a processing policy in the case that they maintain data files that must be notified pursuant to art. 11a FADP.
As the FADP and the Ordinance related thereto follow a risk-based approach, every legal entity may implement the internal processes in a way that are most appropriate taken the organizational structure, size etc. of the respective company. The processes are typically as follows:
- There is a policy in which the employees are, for example, informed about the access right of data subjects.
- The employees are informed in the policy to whom (i.e. to which individual or function) such requests must be forwarded in case that they are submitted to an employee who is not responsible.
- The companies appoint an employee who is responsible for data protection questions and receives requests etc. The respective employee must not necessarily be an official data protection officer as set out in art. 11a para. 5 lit. e FADP. The main task is to centralize data protection related requests and questions.
The Spanish LOPD refers to the GDPR in relation to the recording of their data processes, which will be a requirement for organizations employing more than 250 persons and those with fewer employees, but which may carry out data processes likely to result in a risk to the rights and freedoms of data subjects, they are not occasional, or includes special categories of data. This record shall include the information listed in article 30 GDPR.
The Spanish law adds, for certain public entities or related to the public sector listed in article 77.1 LOPD, the obligation to make this recording public and accessible by electronic means.
No, owners or processors of PII are not required to maintain any internal records of their data processing activities or to establish internal processes or written documentation. Unless, in case of data processing by public entities, in which case the Service of Civil Registration and Identification shall keep a record of personal data banks managed by such agencies.
All companies employing 250 employees or more must keep a record of processing activities (Art. 5 (2), 30 (1) (2) GDPR). Nonetheless, this obligation also applies to smaller enterprises if
- the processing is likely to result in a risk to the rights and freedoms of data subjects,
- the processing is not occasional,
- the processing includes special categories of data as referred to in Art. 9(1) GDPR (e.g. ethnic origin, biometric data, data
- personal data relating to criminal convictions and offences referred to in Art. 10 GDPR.
related to political or philosophical beliefs), or
Therefore, many small and medium size enterprises are also obligated to keep the records.
In accordance with Art. 30 GDPR the record shall contain all the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organizational security measures referred to in Art. 32(1) GDPR.
All the records of processing activities shall be in writing, including in electronic form.
Since these obligations are rather extensive and can be quite complex depending on many factors like the number of controllers and possible processors, the purposes for which data is processed, which security measures are in place, etc., there is no particular means to the fulfillment of these obligations used by a majority of the obligated enterprises. Due to the high requirements, it is difficult for companies to fulfil the obligations. Processes and security measures are often not or not sufficiently documented. However, since the GDPR came into effect in May 2018 awareness has risen exceptionally and is expected to rise even more after information on actually imposed fines under the GDPR is released. We would highly recommend an enterprise affected by these obligations to consult with a data privacy/security specialist who can facilitate an assessment of the data processing activities and get the expected documentation in place.
The Privacy Rules require body corporates to implement reasonable security practices and procedures including having comprehensive & documented information security programme & policies. One standard prescribed in this regard is ISO/IEC 27001 standard "Information Technology - Security Techniques - Information Security Management System – Requirements" ("ISO Code").33
Therefore, data processor entities operating in India specify compliance with such standards in their privacy policies or notices.
No other specific records or written documentation need to be maintained under the Privacy Rules. Specific circumstances such as occurrence of cyber security incidents, etc. may lead to a data processor being asked by regulatory authorities to maintain / produce necessary records.
The IT Act specifically requires intermediaries to preserve and retain such information and for such duration as may be specified by the Central Government.34
The Privacy Bill proposes for data fiduciaries to maintain up-to date record of important operations in the life cycle of processing of PD, including collection, transfers, and erasure.
33 - We have included more details in this regard in our response to Query 16 below.
34 - The Central Government is yet to notify specific rules on this issue. In other relevant Indian laws, the requirement to retain records is 8 years.
Under the CSL, network operators are required to record network operation and cybersecurity events and maintain the cyber-related logs for no less than six months.19 Since the CSL is a binding law and the enforcement authorities have published sanctions on those who failed to maintain the logs, most business entities follow such requirement and keep log records for no less than six months.
Personal information controller is required to keep records in certain circumstances under the PI Specification. For example, when it is truly necessary for work to allow specific personnel to exceed their privileges to process personal information, the personal responsible for personal information protection or the personal information protection work organization should conduct assessment and approval and make a record.20 A personal information controller should correctly record and retain the arrangement for delegation of the personal information processing.21 In case of sharing and transferring personal information for reasons other than merger, acquisition and restructuring, it is required to correctly record and retain the circumstances of sharing and transfer of personal information, including the dates of sharing and transfer, the scale, the purposes, the basic information of the recipient, etc.22
19 - CSL. § 21.3.
20 - PI Specification. 7.1 d).
21 - PI Specification. 8.1 e).
22 - PI Specification. 8.2 d).
Pursuant to MCI Regulation 20/2016, ESO is only required to provide audit trail for all Electronic System activities which managed by ESO, which includes collection and processing activities of Personal Data. On the other hand, Data Subject, as the owner of Personal Data, is not required to maintain any internal records.
In accordance with article 30 of the GDPR, Internal records of data processing activities are mandatory – for controllers and processors – if the enterprise or organization employs at least 250 employees or, regardless the number of employees, the data processing activities are likely to result in a risk to the rights and freedoms of data subjects and is not occasional or includes special categories of data (sensitive PII) or PII relating to criminal convictions and offences.
That record shall be in writing (including electronic form) and its content varies on whether the covered entity acts as a controller or a processor.
When acting as a controller, the record shall include:
a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
b) the purposes of processing;
c) a description of the categories of data subjects and of the categories of personal data;
d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
e) where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization;
f) where possible, the envisaged time limits for erasure of the different categories of data;
g) where possible, a general description of the technical and organizational security measures.
When acting as a processor, the record shall include:
a) the name and contact details of the processor or processors and each controller on behalf of which the processor is acting and, where applicable, the controller's and processor’s representative and the data protection officer;
b) the categories of processing carried out on behalf of each controller;
c) where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization;
d) where possible, a general description of the technical and organizational security measures.
The CNPD has made available on its website forms of records of processing activities for both controllers and processors (only available in Portuguese at https://www.cnpd.pt/bin/rgpd/rgpd.htm).
Considering the accountability principal, controllers should establish internal processes and written documentation to be able to demonstrate compliance with GDPR, which may include, inter alia and as applicable:
b) Privacy notices
c) Regulations to ensure accuracy of the data;
d) Data Retention Policy;
e) Regulations to ensure valid consent is obtained (including minors) and how do deal with consent withdrawal;
f) Consent forms;
g) Record of consents;
h) Documents’ classification;
i) Data Subject Access Requests Protocol;
j) Data Processing Agreements;
k) Data Sharing Agreements;
l) Arrangement between joint controllers;
m) Non-disclosure agreements;
n) Data protection clauses for the several contracts in place;
o) Training on Privacy and Data Protection;
p) Internal and periodic audits;
q) Data Security Policy;
r) Security Measures Record;
s) Business Continuity Plan;
t) Data Breach Policy;
u) DPIAs Policy.
Both controllers and processors must maintain a record of processing activities (ROPA) which must be made available to the Information Commissioner's Office (ICO) on request.
The ROPA should contain:
- The name and contact details of the organisation (and where applicable, of other controllers, the organisation representative and their data protection officer).
- The purposes of the processing.
- The lawful basis for the processing.
- A description of the categories of individuals and categories of personal data.
- The categories of recipients of personal data.
- Details of any transfers to third countries including documenting the transfer mechanism safeguards in place.
- Retention periods.
- A description of any technical and organisational security measures.
This obligation does not apply to organisations with fewer than 250 employees unless the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or data related to criminal convictions or offences.
To comply with the accountability principle and to meet its privacy by design obligations, a controller must document its processes and policies so that it can demonstrate how it has sought to comply with the data protection principles. It should have a range of policies tailored to its business such as a data protection policy, retention and disposal policy, data breach policy, marketing policy, consent records, data maps, training materials and processes to comply with the data protection principles and to enable individuals to exercise their rights etc.
Yes, according to article 30 of the GDPR controllers as well as processors are required to maintain a record in writing, including in electronic form. Article 30 stipulates all the information that the record shall contain such as for example the purposes of the processing, a description of the categories of data subjects and of the categories of personal data and, where possible, the envisaged time limits for erasure of the different categories of data.
The obligation to maintain a record does however not apply to an enterprise or an organisation employing fewer than 250 persons, unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.
It varies how businesses typically meet the requirement, many use a simple Excel-sheet to meet the requirement.
Most companies/organizations are required to keep a record of processing activities, which is a requirement under article 30 of the GDPR and is used as an accountability tool. The record of processing activities is also a useful tool for properly recording and organizing the company's processing activities.
Both the data controller and the data processor are required to maintain a record of processing activities with different data for each. The mandatory elements are described in detail in article 30 par. 1 of the DGPR as regards the controllers and in article 30 par. 2 with regards to the processors.
In addition to the aforementioned elements, additional information which is considered by the controller or processor as appropriate to facilitate their compliance may be included in the record of processing activities.
Any controller or processor may choose how to maintain the record of processing activities, provided that the obligation under article 30 of the GDPR is satisfied.
Furthermore, additional documentation, such as a Data Retention Policy or a Policy and Procedure on Personal Data Breach Notification, is necessary for businesses’ compliance with the GDPR.
The maintenance of the record of processing activities is not easy. Depending on the nature and the area of expertise of a company, an internal project shall be initiated to detect and record all data flows, namely the sources of data collection, data transfer channels, recipients of personal data, etc. Next, a legal audit of the flows shall take place and the legal bases shall be identified in order to be added to the record of processing activities.
Finally, the HDPA provides indicative examples of a record of processing activities on excel format in order to assist small and medium-sized enterprises in their compliance with the GDPR.
Data controllers which are subject to the obligation to register with the Registry are also mandated to prepare a personal data processing inventory.
Within the purposes of the Regulation on the Registry (elaborated in detail above under Question 2), data controllers are obliged to prepare a personal data processing inventory incorporating information on the purposes and legal reasons for processing personal data, data categories, subject groups of the data, the maximum retention period of the data and measures taken regarding the data security. Information to be provided during the registry procedure shall be determined in accordance with the inventory.
The application to the Registry must contain information on the following matters:
- Information provided within the application form to be specified by the Board concerning the identification and address information of the data controller, the data controller representative if any, and the contact person,
- Purposes for processing personal data,
- Explanations concerning the subject group or groups of the data and the data categories relating to such persons,
- Recipient group or groups to which personal data may be transferred,
- Personal data to be transferred abroad,
- Measures taken regarding data security as specified by the Law and the criteria determined by the Board,
- Maximum retention periods of personal data as envisaged under the legislation or as required by the purpose of processing.
The provisions of art. 30 GDPR apply. Accordingly, controllers (and processor must keep a written record of their processing activities. This document must be made available to the Data Protection Authority on request. Such documentation shall in particular contain the following information:
- The contact details of the controller and, where applicable, the joint controller, the controller´s representative and the data protection officer;
- the purposes of the processing operations;
- description of the categories of data subjects, personal data, recipients and transfers to third countries;
- where possible the envisaged time limits for erasure of the different categories of data; and
- a general description of the technical and organisational measures undertaken to protect the data.
Both controllers and processors must maintain a record of processing activities under its responsibility which must be made available to the CNIL on request. In the event that an organization acts as controller for some data processing and as processor for other data processing, such organization should maintain two separate records of processing activities.
The record of processing activities must contain the following information:
- the organizations involved in the processing activities (representatives, subcontractors, co-responsible, etc.) ;
- the lawful basis for the processing ;
- the categories of data processed ;
- what this data is used for (i.e. what the organization does with it), who accesses the data and to whom it is disclosed ;
- how long the data is kept; and
- how the data is secured.
In addition to meeting the obligation under Article 30 of the GDPR, this record is a tool for monitoring and demonstrating compliance with the GDPR as per the accountability principle.
Companies with less than 250 employees benefit from a derogation. They must solely record the following data processing operations:
- recurring processing (e.g. payroll management, recurrent customer/prospect and supplier management, etc.);
- processing operations likely to involve a risk to the rights and freedoms of individuals (e.g. geolocation, CCTV, etc.); and
- processing operations involving sensitive data (e.g. health data, criminal convictions and offences, etc.).
In practice, this derogation enables VSEs and SMEs to bypass the obligation to record the processing activities of very specific cases carried out on an occasional and non-routine basis provided that such processing does not pose any risk to the data subjects. This can be illustrated by the processing of personal data in a communication campaign on the occasion of the opening of a new establishment. In case of doubt about whether this derogation applies to a processing operation, the CNIL recommends to include the processing activities in the record.
To facilitate the maintenance of this record, the CNIL created a model of a basic record in PDF and Word formats intended to meet the most common needs in terms of data processing, in particular for small structures (VSE-SMEs, associations, etc.). This model is available on the CNIL's website.
Moreover, given that Article 30 of the GDPR lays down specific obligations for the records of processing activities of the controller and the register of the processor, the CNIL recommends that an organization acting as both processor and controller maintains two separate records of processing activities:
- one for the processing of personal data for which the organization acts as processor; and
- another one for the processing that the organization carries out as a subcontractor.
Owners or processors of PII or PI are not generally required to maintain any internal records of their data processing activities or to establish internal processes or written documentation. However, there are several statutory frameworks in the U.S., including GLBA, HIPAA, and some state information security and health laws, that require specific record retention practices as well as the implementation of associated information security programs. These programs typically require internal processes and documentation of the administrative, technical and physical safeguards implemented to protect the confidentiality and security of personal information. In turn, certain of these regulations subsequently require documentation of those practices. For example, HIPAA requires covered entities to maintain related documentation for six years from date of creation or when last in effect, whichever is later. Finally, entities also typically use industry or third-party benchmarking data to determine how best to maintain records generally, including data processing documentation.