Record of processing activities

Record of processing activities

Regulation (EU) 2016/679 of the European Parliament and of the Council (further referred to as the “GDPR”) imposed new obligations on controllers and processors. One such obligation is to maintain a record of processing activities. Below we specify when maintaining the record is obligatory.

Obligations of a data controller

The obligations of a data controller under the GDPR include, among others, implementing relevant technical and organisational measures to process personal data in accordance with the GDPR, maintaining a record of processing activities and conducting a personal data breach risk analysis.

Obligations of a processor

The obligations of a processor include maintaining a record of the categories of processing activities carried out on behalf of the controller.

Purpose of record keeping

According to the recitals of the GDPR, maintaining both records serves the following functions:

  1. ensuring compliance with the GDPR;
  2. allowing the President of the Personal Data Protection Office to exercise supervision over the processing of personal data.

Requirement to maintain a record of processing activities and a record of the categories of processing activities

In principle, each controller is required to maintain a record of processing activities (while a processor must maintain a record of the categories of processing activities).

However, under the GDPR, this obligation does not apply to entities with less than 250 employees, unless the processing of personal data:

  1. may result in a risk to the rights and freedoms of data subjects;
  2. is not occasional;
  3. involves special categories of personal data or the personal data relating to criminal convictions. 

Record of processing activities

The record of processing activities should include, at a minimum:

  1. details of the controller (first name and surname, business name, contact details, etc.);
  2. purposes of the processing;
  3. description of the categories of data subjects;
  4. categories of personal data;
  5. categories of recipients;
  6. information on the transfer of data to a third country;
  7. time limit for erasure of data;
  8. description of security measures.

Record of the categories of processing activities

A record of the categories of processing activities should include, at a minimum:

  1. details of the controllers and the processor (first name and surname, business name, contact details, etc.);
  2. categories of processing activities carried out on behalf of each controller;
  3. information on the transfer of data to a third country;
  4. description of security measures.

Form of record keeping

Both records, i.e. the record of processing activities and the record of the categories of processing activities, are to be maintained in writing, but they may also be kept in electronic form.

Summary

To sum up, maintaining the records referred to above is a new obligation imposed on large business entities or those processing special categories of data. The purpose of record keeping is to enable the monitoring of personal data processing for each of such entities. The scope of information to be included in the records of personal data processing activities under the GDPR is non-exhaustive, therefore controllers (processors) may incorporate additional elements in them to streamline their operations. It is also important to note that failure to maintain the records as required under the GDPR runs the risk of high administrative penalties that can be imposed by the supervisory authority.

Back to GDPR lawyer

Do you have any questions?

Call us!

+48 22 489 52 65

Controller, joint controller and processor

Controller, joint controller and processor

Regulation (EU) 2016/679 of the European Parliament and of the Council, also known as the General Data Protection Regulation, or GDPR, provides definitions of several entities actively involved in the processing of personal data. Below we explain when an entrepreneur will be considered a controller, a joint controller, and a processor under the GDPR.

Controller

As defined in the GDPR, a controller is a body which determines the purposes and means of the processing of personal data in its possession. 

A controller may be:

  1. a natural person;
  2. a legal person (e.g. a limited liability company);
  3. a public authority (e.g. a municipal office);
  4. an agency or another entity (e.g. a general partnership).

Therefore, it is the entity itself, for example a commercial law company, that is the controller of personal data, and not its representative bodies (e.g. a company’s management board).

Neither the GDPR nor any other legal act specifies the exact meaning of the phrase “to determine the purposes and means of the processing of personal data”. Consequently, whether an entity is a controller depends on its specific situation. In simple words, a controller is a person (or another entity) deciding on the purposes and means of the processing of personal data. 

Accordingly, entities that could be considered controllers may include, for example:

  1. an entrepreneur that holds personal data of its customers;
  2. a commercial law company that holds personal data of its employees;
  3. an association that holds data about its members, etc.

Main obligations of a data controller

The primary responsibilities of a personal data controller include:

  1. implementing relevant technical and organisational measures to process personal data held by it in accordance with the GDPR;
  2. implementing appropriate technical and organisational measures to establish the necessary safeguards to protect personal data;
  3. appointing a personal data protection officer; 
  4. exercising data subjects’ rights, upon request;
  5. maintaining a record of processing activities;
  6. conducting a personal data breach risk analysis;
  7. cooperating with the supervisory authority – President of the Personal Data Protection Office, which includes notifying it of any breach of personal data.

Joint controller

A joint controller is an entity that determines the purposes and means of personal data processing jointly with another entity (or other entities). For example, joint controllers could be partners in a civil law partnership acting jointly within the framework of the partnership they have established.

Joint controllers determine their respective responsibilities for compliance with the obligations under the GDPR.

Processor

A processor is a natural or legal person, public authority or another body which processes personal data on behalf of the controller (e.g. an external provider of accounting services to a business).
Under the GDPR, a controller may only use processors providing sufficient guarantees to implement appropriate technical and organisational measures to ensure the protection of the personal data processed by them.

Processing of personal data by a processor is governed by a contract concluded between the processor and the controller or by another legal act under Union or Member State law (including the legal provisions applicable in the Republic of Poland).

Main obligations of a processor

Most notably, a processor:

  1. processes the personal data only on documented instructions from the controller;
  2. ensures that persons authorised to process the personal data have committed themselves to confidentiality;
  3. assists the controller in ensuring compliance with its obligations under the GDPR;
  4. maintains a record of the categories of processing activities carried out on behalf of the controller.

Summary

To conclude, a controller and joint controllers are the main entities that process personal data in their possession within the framework of the established purposes and means of their processing. They are also the entities which bear full responsibility for the data they collect, possess, and otherwise process in the course of their business or professional activity. 

The situation of processors is different as they are not independent entities when it comes to the processing of personal data entrusted to them. They are liable to controllers for every action performed on the personal data, which makes such entities dependent on the controller’s instructions.

Do you have any questions?

Call us!

+48 22 489 52 65

Back to GDPR lawyer

Marketing and GDPR

Marketing and GDPR

Since 25 May 2018, i.e. the date on which Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR) entered into force, businesses have been required to conduct their marketing activities under new rules. Presented below are the circumstances in which a data subject’s consent for conducting marketing activities is required, and those in which such consent is not necessary.

Legal grounds for the processing of personal data for marketing purposes

Personal data is any information about an identified or identifiable natural person (e.g. name, phone number, email address, etc.). The processing of personal data means any operation or set of operations which is performed on personal data (collection, recording, storage, etc.).

The processing of personal data is compliant with the GDPR if:

  1. consent for the processing has been given;
  2. it is necessary for the performance of a contract;
  3. it is necessary for compliance with a legal obligation to which the controller is subject;
  4. it is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. it is necessary for the legitimate interests of the controller.

A business entity (controller) may only process personal data for marketing purposes if:

  • consent of the data subject has been obtained; and
  • the data is being processed in the legitimate interest of the controller.

Consent of the data subject

The first and main basis for the processing of personal data for marketing purposes is the consent of the data subject. Such consent, as defined in the GDPR, means an indication of the data subject’s wishes. Such indication must be freely given, specific, unambiguous and informed. It may be expressed either by a written or oral statement or by a clear affirmative action (e.g. ticking a box on a website). General authorisations are not considered as a valid basis for the processing of personal data. 

In one of its recitals, the GDPR specifies that silence or inactivity does not constitute consent. In accordance with the current legal framework under the GDPR, the declaration of consent cannot be hidden (e.g. in the terms and conditions introduced by the controller) or written in small print at the bottom of the page. 


Without doubt, the controller must be able to demonstrate that consent for the processing of personal data, including for marketing purposes, has been granted. It is important to point out that such consent can be withdrawn at any time. A child who is at least 16 years old may also give their consent to the processing of their personal data, however, only if the processing concerns the so-called information society services. 

Controller’s legitimate interest 

The second basis for the processing of personal data is a legitimate interest of the controller. However, it should be noted that this basis may only be relied upon for the purpose of direct marketing. A legitimate interest of the controller cannot be asserted where it is overridden by the interests or rights and freedoms of the data subject (e.g. when the data subject is a child). 

According to one of the recitals of the GDPR, a legitimate interest exists where there is a relevant relationship between the data subject and the controller (e.g. a seller–customer relationship). However, it is important to note that the existence of a legitimate interest should always be assessed in a specific context. Therefore, businesses should rely on this basis for the processing of personal data only when they have no doubt as to whether such a relationship exists in a given situation. This is to avoid being accused of the lack of grounds for the processing of personal data and to avoid legal and administrative sanctions.  

Direct marketing involves direct communication with the customer who is offered products or services tailored to their individual needs and expectations (e.g. by e-mail or telephone). With regard to direct marketing, the data subject must be guaranteed the right to object to the processing of their personal data. They must be informed that such an objection may be lodged at any time.

Marketing databases

Controllers creating marketing databases must keep the full text of the consents to the processing of personal data received from the data subjects in order to be able to prove that such consents had been obtained. 

Moreover, personal data may currently be processed only for a specified purpose and at a specific time. Consequently, personal data obtained in the past cannot be stored by business entities in their databases indefinitely if the purpose for which it had been collected has ceased to exist.

Summary

It should be emphasised that the GDPR does not prohibit the creation of personal databases for marketing purposes. It is allowed with the consent of the data subjects or if based on the controller’s legitimate interest. However, new responsibilities have been imposed on controllers. These include the obligation to provide information or the obligation to respect the data subject’s “right to be forgotten”. 

Back to GDPR lawyer

Do you have any questions?

Call us!

+48 22 489 52 65