Does your organization need to keep a register?

Use this page to determine whether a register is required for you

First, we take a look at the organization's size:

Does your organization have more than 250 employees? Then you are obliged to
keep a register of processing activities.
Does your organization have fewer than 250 employees? If so, please continue
with the questions below.

Your organization has less than 250 employees.

In that case you must have a register when you process personal data:
of which the processing is not incidental. In practice, processing is rarely
incidental. Consider, for example, the personal data of employees that you
process. Or of your customers, clients, patients or residents and / or;
that may pose a high risk to the rights and freedoms of the individuals involved
and/or;
that fall under the category of special personal data such as data on religion,
health and political preference or even criminal data.

x Mark the applicable field(s)

If you need to keep a register, then fill in the following tabs of this document:
contact details
us-controller: fill in all activities where you are the data controller
us-processor: fill in all activities where you are the data processor and some
other party the controller
receivers: fill in all organizations that receive personal data from you. These
should already be filled in in the tab us-controller and, if applicable, also as sub
processors and us-processor
other-controller: fill in all organizations we process personal data for. These
organizations are already mentioned in us-processor
security measures: document all information about taken security measures in
this tab

The tab regulation-text is just for your information

Register of processing activities conform the GDPR
Information about the organization this register belongs to
Organization name:
Contact person:
Adress:
Phone number:
Email:
Has a DPO been appointed?
Name DPO:
Phone numbe DPO:
E-mail DPO:

Have the means and purposes of processing been determined with another organization? If yes, fill in this table.
Examples are sister-organizations or brache-organizations

Nr Name Contact Details

1
2
3
4
5
6
7
8
9
10

This template was originally created by Sieuwert van Otterloo, privacy-expert at ICT Institute
Use of this template is free, and the template may be changed. The responsibility for correct use lies with you
When using this template, you should always mention ICT Institute als the creator and include a link to:
www.ictinstitute.nl
Processing actitivities with our organization as the controller

Categories of data subjects

Activity ID Purpose processing 1b 1c

Example
input and
information
For example the recruitment
and selection of personnel, For example benefit
the delivery of products, or recipients, employees,
for direct marketing. customers, or patients
1
2
3
4
5
6
7
8
9
10
on as the controller

When possible, the

Categories of personal data envisaged time limits for Categories of recipients of
1c erasure of the data 1f the personal data 1d

Citizen service number, For example accountant,

name, address, city, phone external marketing firm, IT
numbers, camera footage, or For example 2 weeks after supplier. Their contact details
IP-address job application should be in the tab receivers
Is being shared outside the
Netherlands, and if yes, with
which country or Optional: has consent
international organization? Technical / organizational been given? If yes, how
1e measures 1g is this stored?

No or Yes, name of the See security policy and

organization, and country. mention which measures of Yes, documented in
Their contact details should the tab security measures are database X … or paper
be in the tab receivers taken form Y page 22
 Optional:
When and
Optional: when by whom is
consent is not asked, a DPIA
what is the lawful Optional: is a done / will
basis for processing? DPIA necessary? be done

A DPIA is
necessary if the
processing will
Necessary for the likely result in a
performace of a high risk to the
contact, or necessary rights and August 25th
for compliance with freedoms of data 2018 by
a national law, or … subjects CISO
Processing activities with our organization als the processor

Responsible
organizations we If there is a DPO:
process for 2a (see Contact person name Name and contact
Activity ID tab other-controllers) and details 2a details DPO 2a

Client name (see tab J Jansen, director, P Pieterse, DPO

Voorbeeld-regel other-controllers) jansen@client.com DPO@client.com
1
2
3
4
5
6
7
8
9
10
processor

Is being shared
outside the
Netherlands, and if
yes, with which
Categories of Technical / country or
processing carried organizational international Optional: Category of
out 2b measures 2d organization? 2c data subjects

For example the

recruitment and
selection of See security policy No or Yes, name of For example benefit
personnel, the and mention which the organization, and recipients, employees,
delivery of products, measures of the tab country. Their contact customers, or patients.
or for direct security measures are details should be in This is not mandatory
marketing. taken the tab receivers but can be useful
Optional: description of
the categories of personal
data

Citizen service number,

name, address, city, phone
numbers, camera footage,
or IP-address. This is not
mandatory but can be
useful
Details receivers (parties / sub processors we send personal data to)

Optional: Date the

processing
Is this a foreign If yes, what is the agreeement was
Nr Name Contact details organization? 1e safeguarding document? 1e signed
Approved country, Privacy
Example line ABC hoofdstraat 1, 1234AB, Amsterdam, name@email.com yes Shield, or contract with SSC October 2nd 2018
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

All organizations mentioned in the us-controller tab should be filled in here

Explanation of safeguarding
You may only transfer personal data to countries if they offer a similar level of personal data protection as the Regulation does
All EU member states have implemented the GDPR, and hence have a "similar level"
Other approved countries are Norway, Lichtenstein, and Iceland due to the European Economic Area agreements
The European Commission takes adequacy decisions for other countries
Already approved are: New Zealand, Switzerland, and Canada (except Quebec)
See http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
The United States have been considered adequate, but only if the receiving party has signed the Privacy Shield declaration

For other countries, such as e.g. India, the following applies:

There are Standard Contract Clauses (SCC's), determined by the European Commission or Dutch supervisory authority AP.
These should be put in the contract unchanged

Saving the date a processing agreement is signed in the register is not mandatory in the GDPR
Making and signing a processing agreement is mandatory, so this column has been added as a reminder
Details controllers (controllers we process personal data for)

Optional: date
processing
agreement
ID Name Contact details signed

Example line ABC hoofdstraat 1, 1234AB, Amsterdam

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

Fill in the contact details of all organizations mentioned in the tab us-processor
These are the organizations that are controllers, and have hired us to process personal data for them

Saving the date a processing agreement is signed in the register is not mandatory in the GDPR
Making and signing a processing agreement is mandatory, so this column has been added as a reminder
Overview security measures
It is mandatory to, if possible, give a detailed description of the technical and organizational security measures
This can be done in tables 1 and 2, if processing agreements have different security measures taken for them
Many measures apply to all processing activities, these can be filled in here once

Option 1: practical examples

By marking the applied measures, you create an insight
in what is applied and what is not

Measure Is applied (yes/no) Applies to activities

Example measure 1 yes all / 1,3,5
Using HTTPS
Drafting an Information security policy
Setting up and implementing an information security
management system (ISMS)
External testing and certification of ISMS against
'Security Verified' standard
External testing and certification of ISMS against ISO
2700 standard
Screening of employees
Security awareness training for employees
Drafting and maintaining of risk inventory
Keep an incident register
Installation of firewall
Installation of virus scanner
Protection against data loss
Regular and structural backup of data
Encryption of data in the database
Encryption of hard disks / storage
Encryption of data during transport
Regular PEN testing of systems by external ethical
hackers
Having a responsible disclosure policy
Use two-factor or multi-factor authentication
Establishing rules for choosing and recording passwords
Appoint a Data Protection Officer
Drafting and publishing on the website of a privacy
statement
Mandatory password protection on laptops and other
mobile devices
Mandatory encryption on laptops and other mobile
devices

This list is not mentioned in the GDPR. You do not need to restrict yourself to this list, and may mention/use other measures as well
Article 30. Record of processing activities
This tab contains the literal Regulation text. This way, you can confirm for yourself that this templates follows the

Section

Each controller and, where applicable, the controller's representative,

shall maintain a record of processing activities under its responsibility.
That record shall contain all of the following information:
the name and contact details of the controller and, where applicable,
the joint controller, the controller's representative and the data
protection officer;

b) the purposes of the processing;

(c) a description of the categories of data subjects and of the

categories of personal data;

d) the categories of recipients to whom the personal data have been

or will be disclosed including recipients in third countries or
international organisations;

e) where applicable, transfers of personal data to a third country or an

international organisation, including the identification of that third
country or international organisation and, in the case of transfers
referred to in the second subparagraph of Article 49(1), the
documentation of suitable safeguards;

f) where possible, the envisaged time limits for erasure of the

different categories of data;

g) where possible, a general description of the technical and

organisational security measures referred to in Article 32(1).

2. Each processor and, where applicable, the processor's

representative shall maintain a record of all categories of processing
activities carried out on behalf of a controller, containing:
a) the name and contact details of the processor or processors and of
each controller on behalf of which the processor is acting, and, where
applicable, of the controller's or the processor's representative, and
the data protection officer;

b) the categories of processing carried out on behalf of each

controller;

c) where applicable, transfers of personal data to a third country or an

international organisation, including the identification of that third
country or international organisation and, in the case of transfers
referred to in the second subparagraph of Article 49(1), the
documentation of suitable safeguards;

d) where possible, a general description of the technical and

organisational security measures referred to in Article 32(1).
urself that this templates follows the Regulation. You do not have to fill in anything here.

Used on tab

contact details

us-controller

us-controller

receivers

list-of-receivers

us-controller

us controller and
security measures
contact details and
list-of-controllers

us-processor

us-processor and list-

of-receivers

us-processor and
security measures