Contact
The record can be organised based on specific processing operations linked to a common basic purpose (for example "customer management", "accounting management" or "human resources and payroll management"), or according to other different criteria.
One possibility for organising the record of processing activities is to start with the files that the processors have communicated to the Catalan Data Protection Register and to detail all the operations that are carried out on each structured data set. You can download the files you have communicated to the Catalan Data Protection Register via this link.
The Catalan Data Protection Authority (APDCAT) has developed a simple application to keep a record of processing activities, for use by controllers and processors. You can download it at this link.
According to Article 30.5 of the GDPR, the obligation to keep a record of activities shall not apply to an enterprise or an organisation employing fewer than 250 persons, unless the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
In accordance with the position of the Article 29 Working Party on this issue, this provision should be interpreted as not applying to companies or organisations employing less than 250 people, unless any of the following circumstances apply:
- If there is likely to be a risk to the rights and freedoms of the data subjects.
- If the processing is not occasional.
- If it includes special categories of data (Art. 9 GDPR) or criminal offences and convictions.
Processing in which any of these circumstances apply must be included in the register.