GDPR: Records of Processing Must Be Backed Up With The Purpose

-
 
26 April 2019

Defining Data Processing
A German consulting firm indicates that what a "processing activity" entails for the purpose of an Article 30 records of processing is unclear from the GDPR; to comply, document each business process with a level of abstraction that depends on the size of the business (e.g. HR might suffice for small businesses, while medium enterprises might distinguish recruitment, management, etc.).



Background Facts:
  • an overview of what is considered a processing activity within the meaning of the GDPR.
Relevance to Business Activity:
  • defining data processing considerations:
    • introduction:
      • article 30 of the GDPR requires data controllers to maintain a record of their processing activities:
        • it is important to understand what a processing activity is.
      • what constitutes a processing activity is unclear from the GDPR and the analysis of the DPAs:
        • in order to comply with article 30 of the GDPR, organizations must keep a record of the:
          • processing activity;Control and
          • additional information about the processing such as:
            • purpose of processing;Control and
            • the categories of data processed.Control
    • data protection authorities ("DPA") on the subject:
      • the DPA in Baden-Wurttemberg:
        • stated that a processing activity is a special independent business process:
          • it is necessary to set a stringent standard so that each new purpose constitutes a separate processing activity.Control
        • equated processing activity with a business process, assuming a lower level of detail than what processing entails:Control
          • in practice, a business process does not only involve processing.
      • the German Data Protection Conference:
        • defines processing as a business process at an appropriate level of abstraction;Control and
        • acknowledges that the business process can be described at an appropriate level of abstraction.Control
    • conclusion:
      • processing activities depend on the size of the business:
        • the entire human resources administration can be a single processing activity for a small business with few employees;Control but
        • a medium sized business might need a breakdown for recruitment, staff management or termination.Control
      • the processing purpose must be documented with each description of a processing activity such as:
        • personal file management;Control and
        • payroll accounting or working time records.



Location: London, UK

Comments

Post a Comment

Popular posts from this blog

Olivia: The New Tool from Garante Privacy to Help Protect Your Data

-
Image
In the digital era, data protection has become one of the most critical aspects of business operations. Whether you run a small startup or a multinational corporation, ensuring the privacy and security of customer data is essential. With GDPR (General Data Protection Regulation) in full effect, the challenge for many businesses is how to effectively comply with complex legal requirements. Enter Olivia, a groundbreaking tool launched by Garante Privacy—Italy’s data protection authority—that aims to make GDPR compliance easier for everyone. What is Olivia? Olivia is a powerful and intuitive tool designed to assist businesses in meeting their data privacy obligations under GDPR. Developed by Garante Privacy, the Italian authority responsible for protecting personal data, Olivia provides automated features and guidance to help companies safeguard personal information, avoid costly data breaches, and ensure full regulatory compliance. Key Features of Olivia 1. Automated GDPR Audits Olivia s...
Read more

Navigating the Future of Recruitment: Understanding ICO recommendations on AI Tools

-
Image
  Artificial intelligence (AI) is revolutionizing recruitment by offering faster and more efficient processes while claiming to reduce human biases. However, as highlighted in the UK Information Commissioner’s Office (ICO) report published in November 2024, using AI in hiring comes with ethical and legal responsibilities. HR professionals must ensure compliance, safeguard candidate rights, and foster trust by aligning their practices with these recommendations. The ICO's audit of AI tools, conducted between August 2023 and May 2024, exposed both strengths and risks in their application. While some providers showed positive efforts in monitoring bias and accuracy, others revealed alarming practices, such as excessive data collection and opaque decision-making. With nearly 300 recommendations outlined, the report provides a clear roadmap for HR teams and AI developers to improve compliance. Addressing Key HR Activities with AI Tools The ICO's findings emphasize the need for HR te...
Read more

Italy: Garante's new guidelines on cookies and similar tracking technologies

-
Image
    The Italian data protection authority ('Garante') launched, on 10 December 2020, a public consultation on its draft guidelines on cookies and other similar tracking technologies 1 ('the Guidelines'). In particular, the Guidelines aim to illustrate the legislation applicable to the storing of information, or the gaining of access to information already stored, in the terminal equipment of users, as well as to specify the lawful means to provide the cookie policy and collect online consent of data subjects, where necessary, in light of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In addition, the Guidelines note that the Garante's previous guidance on Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies 2 , while maintaining its relevance, need to be integrated with specific reference to certain aspects such as scrolling as a lawful means to collect consent for profiling cookies ...
Read more