HomeIco

Home

 InternalIco

Internal

 GlobalIco

Global

 ContattoIco

Contatto
de|it

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.
Temi Data processing register and why is it necessary

Data processing register and why is it necessary

PrintMailRate-it

published on 24 March 2023 | reading time approx. 3 minutes


The General Data Protection Regulation requires businesses to create and maintain a register of the personal data processing activities to make it transparent and ensure accountability. It is known that such a register must be kept by all organizations employing more than 250 persons. 

Where fewer than 250 persons are employed, the company may decide whether to create one or not, unless the personal data processing by the respective organization is regular, does not concern special categories of data or personal data relating to criminal convictions and offences and does not present a risk to the rights and freedoms of individuals. 

Otherwise, based on the said factual circumstances also small businesses may have to create and maintain the register of the personal data processing activities.

Before setting up a register for the personal data processing, the organization should consider: the purpose of the processing, the legal basis for the processing, the amount of data necessary to achieve the purpose, whether the data will be transferred to third parties, whether the data will be transferred outside the European Union and the European Economic Area and information on technical and organizational measures.

There is no regulated format for the creation of such register, and therefore each organization can choose how to create and maintain it (e.g., create a separate system, excel spreadsheet or hard copy).

The amount of information to be included in the data processing register depends on the processing itself. If the purposes and means of processing personal data are determined by the organization, the following must be indicated in the register:
  1. information on the controller and, where applicable, the joint controller, the controller's representative and the data protection officer; 
  2. the purpose of the processing;
  3. description of the categories of data subjects;
  4. description of the categories of personal data;
  5. persons (e.g. position or representation) to whom the personal data have been disclosed or are intended to be disclosed;
  6. information on recipients in third countries or international organizations where personal data have been disclosed or are intended to be disclosed;
  7. if the personal data are transferred to a third country or international organization, the specific recipient of the personal data (name, contact details) and documentation of appropriate safeguards;
  8. the envisaged time limits for erasure of different categories of personal data;
  9. general description of the technical and organizational security measures.

The organization may delegate the processing to someone else. In this case, the person to whom the data processing has been delegated must be indicated in the register, all together with the same information listed above.

Another important matter in this context is that the personal data processing register is not a document that can be drawn up, shelved, and forgotten. 

It is a document that the organization maintains and regularly updates according to the actual situation. The requirement to maintain the personal data processing register is also important because the Latvian Data State Inspectorate has the right to request it from an organization in order to verify that data processing is carried out in accordance with data protection regulation. 

And in case of discrepancies in comparing the register with actual processing or discovering any infringement, there is potential that this organization can be held administratively liable and monetary fines can be imposed.

DATA PROTECTION BITES
Read all releases »

author

Contact Person Picture

Staņislavs Sviderskis

Assistant Attorney at law, Cyber & Information Security Expert

Senior Associate

+371 6733 8125

Invia richiesta

RÖDL & PARTNER LATVIA
​Discover more about our offices in Latvia. 
Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu