As a data controller or processor, you must maintain internal documentation on the processing of personal data that you carry out, namely a Register of Processing Activities. Article 30 of the GDPR provides very few exceptions to this obligation. The content of the Register is precisely defined and provides an overview to ensure compliance with all obligations arising from the GDPR. It is a control tool for the DPA, the Data Protection Authority.

The controller and processors must maintain a record of processing activities (Article 30(1) of the GDPR). Even if they are not established in the European Economic Area and the GDPR applies to them, the controller and processor must maintain a record.

The obligation to keep a Register, sometimes referred to as the ‘internal documentation obligation’, does not apply to companies with fewer than 250 employees, under certain conditions (Article 30.5 of the GDPR). However, the scope of this exception is very limited.

If a small organisation with fewer than 250 employees regularly processes personal data (i.e. not incidentally (occasionally, by chance or unexpectedly)), as is usually the case for personnel management, it may limit its Register to its usual data processing. Strictly incidental processing does not need to be included in the Register. However, this limitation is only possible if these incidental processing operations do not involve any risks or sensitive data.

In general, the Data Protection Authority recommends that all data controllers and processors keep a Register because it provides an overview of the processing operations.

The GDPR has been applicable throughout the European Union (EU) since 25 May 2018. The GDPR applies to everyone who processes personal data, including both large and small businesses. The government is also bound by the GDPR. Individuals are also subject to the GDPR if they process personal data, e.g. by installing a camera at their home.

The GDPR has six basic principles or ‘fundamental principles’. These are set out in Article 5 of the GDPR. Everyone who processes personal data must comply with these principles and be able to demonstrate this. This is the seventh, overarching principle of the GDPR: accountability.

The six GDPR principles are:

• lawfulness, fairness and transparency
• purpose limitation
• data minimisation
• accuracy
• storage limitation
• confidentiality and integrity

To be lawful, processing must always be based on a ground set out in the GDPR. However, the processing must not conflict with other legislation, such as a legal obligation of confidentiality.

The processing must also be ‘fair’. This means that it must not be (in an unjustifiable manner) detrimental, discriminatory, unexpected or misleading to the data subjects.

Furthermore, it must be transparent to data subjects how and why an organisation processes their personal data. This means that the organisation must communicate this openly and clearly. Data subjects have the right to information so that they can decide for themselves whether they want to share their personal data with the organisation requesting it. Even if people provide their data, they are entitled to clear information.

Organisations may only collect personal data for a legitimate purpose. That purpose must be specific and explicitly defined in advance. Organisations may therefore not start collecting personal data because it might be useful at some point in the future.

The purpose for which an organisation processes personal data must be compatible with the purpose for which the data was collected. In short, the organisation may not suddenly start processing the data for a different purpose.

This requirement also applies to the transfer of personal data to another organisation (transfer is a form of processing).

When organisations process personal data, they must do so based on the principle of ‘as little as possible’. This means, for example, that the processing of data must be appropriate to the purpose. And that the organisation may not process more data than is necessary to achieve that purpose.

Organisations must ensure that the data is accurate. They must also update the data when necessary. People can also ask organisations to amend their personal data if it is incorrect. People have the right to rectification. This means that they can ask organisations to correct their personal data if it is incorrect. For example, after they have submitted a request for access to an organisation and discovered that their data is incorrect or incomplete. They can then ask the organisation to amend or supplement their data. They can also always ask for their data to be deleted.

Organisations must delete personal data as soon as it is no longer necessary for the original purpose for which it was collected. In other words, personal data has an expiry date. However, in order to maintain proper records, organisations must retain certain personal data for a period of time. But personal data may not be retained for longer than is necessary. The General Data Protection Regulation (GDPR) does not specify a specific retention period for personal data. Organisations determine for themselves how long they retain personal data. It is important, however, that a retention period is specified in the data register for the various categories of data. A retention period does not necessarily have to be specified in days, weeks or months. It can also refer to the period of time needed to complete a project.

Organisations must secure their data processing properly. Extra strict rules apply to special categories of personal data. Special categories of personal data are data that are so privacy-sensitive, e.g. medical records, legal files, political preferences, that it could have a major impact on the person in question if something goes wrong with this data (e.g. data breach). The GDPR has described additional protection for this data. Every organisation that processes personal data must determine for itself which security measures are necessary. The organisation must also be able to demonstrate that security is taken seriously and that it pays continuous attention to this.

The answer to this is short: yes. The basic principle of the GDPR is simple: every time you process someone's personal data, it is an infringement of their privacy. So you may only process that data if there is no other option. In other words: without processing that personal data, you cannot achieve your goal.

The GDPR lists six legal bases or reasons for processing such data.

• Consent of the data subject
• Necessary to perform a contract
• Legal obligation
• Protection of vital interests
• It serves a task of public interest or public authority
• It serves your legitimate interest

It is important that you include a basis (reason) in your privacy statement so that data subjects know in advance which basis you are invoking to process the data. Be sure to include the basis in your data register. Be aware that you must always be able to justify why you are using this basis. It is therefore useful to include the basis in your privacy policy so that you can fulfil your accountability obligation.

Companies or organisations will often invoke a legitimate interest as a basis because it usually fits best with their activities. However, you must meet three conditions.

1. You must be able to demonstrate that there is a legitimate interest. There must be a clear link with the business activities.
2. The processing is necessary to achieve this interest. You must ask yourself whether there are other ways that have less impact on personal data to protect your interests and achieve your goal.
3. You have perfectly balanced the interests of the organisation against the interests of the data subjects. It is important here that the legitimate interest is not negated by the interests of the data subjects in cases where the organisation has taken into account the reasonable expectations of the data subjects with regard to the processing of personal data.

A data register must be drawn up in writing. This may be in electronic form. It may not exist simultaneously in paper and electronic form (point 30.3. of the GDPR). It must be legible and understandable for the Data Protection Authority (DPA) (in Dutch GBA).

The register must also be updated in line with the development and evolution of the activities of the company or organisation concerned. With a view to the ‘liability’ of the controllers and processors, it may be useful to keep this information for up to 5 years after the end of the processing, indicating the date on which the processing ended. The DPA may request access to the Register to verify information about the processing operations, even after the processing operations have ended.

The company or organisation may determine the language in which the Register is drawn up. However, the DPA may request a translation of the Register into one of the national languages at the expense of the company or organisation.