Professional Documents
Culture Documents
Does Your Organization Need To Keep A Register?
Does Your Organization Need To Keep A Register?
If you need to keep a register, then fill in the following tabs of this document:
contact details
us-controller: fill in all activities where you are the data controller
us-processor: fill in all activities where you are the data processor and some
other party the controller
receivers: fill in all organizations that receive personal data from you. These
should already be filled in in the tab us-controller and, if applicable, also as sub
processors and us-processor
other-controller: fill in all organizations we process personal data for. These
organizations are already mentioned in us-processor
security measures: document all information about taken security measures in
this tab
Have the means and purposes of processing been determined with another organization? If yes, fill in this table.
Examples are sister-organizations or brache-organizations
This template was originally created by Sieuwert van Otterloo, privacy-expert at ICT Institute
Use of this template is free, and the template may be changed. The responsibility for correct use lies with you
When using this template, you should always mention ICT Institute als the creator and include a link to:
www.ictinstitute.nl
Processing actitivities with our organization as the controller
Example
input and
information
For example the recruitment
and selection of personnel, For example benefit
the delivery of products, or recipients, employees,
for direct marketing. customers, or patients
1
2
3
4
5
6
7
8
9
10
on as the controller
A DPIA is
necessary if the
processing will
Necessary for the likely result in a
performace of a high risk to the
contact, or necessary rights and August 25th
for compliance with freedoms of data 2018 by
a national law, or … subjects CISO
Processing activities with our organization als the processor
Responsible
organizations we If there is a DPO:
process for 2a (see Contact person name Name and contact
Activity ID tab other-controllers) and details 2a details DPO 2a
Is being shared
outside the
Netherlands, and if
yes, with which
Categories of Technical / country or
processing carried organizational international Optional: Category of
out 2b measures 2d organization? 2c data subjects
Explanation of safeguarding
You may only transfer personal data to countries if they offer a similar level of personal data protection as the Regulation does
All EU member states have implemented the GDPR, and hence have a "similar level"
Other approved countries are Norway, Lichtenstein, and Iceland due to the European Economic Area agreements
The European Commission takes adequacy decisions for other countries
Already approved are: New Zealand, Switzerland, and Canada (except Quebec)
See http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
The United States have been considered adequate, but only if the receiving party has signed the Privacy Shield declaration
Saving the date a processing agreement is signed in the register is not mandatory in the GDPR
Making and signing a processing agreement is mandatory, so this column has been added as a reminder
Details controllers (controllers we process personal data for)
Optional: date
processing
agreement
ID Name Contact details signed
Fill in the contact details of all organizations mentioned in the tab us-processor
These are the organizations that are controllers, and have hired us to process personal data for them
Saving the date a processing agreement is signed in the register is not mandatory in the GDPR
Making and signing a processing agreement is mandatory, so this column has been added as a reminder
Overview security measures
It is mandatory to, if possible, give a detailed description of the technical and organizational security measures
This can be done in tables 1 and 2, if processing agreements have different security measures taken for them
Many measures apply to all processing activities, these can be filled in here once
This list is not mentioned in the GDPR. You do not need to restrict yourself to this list, and may mention/use other measures as well
Article 30. Record of processing activities
This tab contains the literal Regulation text. This way, you can confirm for yourself that this templates follows the
Section
Used on tab
contact details
us-controller
us-controller
receivers
list-of-receivers
us-controller
us controller and
security measures
contact details and
list-of-controllers
us-processor
us-processor and
security measures