GDPR register of processing activities – free template

| Joost Krapels | Templates

Under the new privacy rules (English: GDPR, Dutch: AVG) it is compulsory for most organizations to keep a register of processing activities. At ICT Institute we have created a template / example based on the guidelines of the Autoriteit Persoonsgegevens. This template is available free of charge and can be downloaded here.

When is a register required

It is mandatory for organizations to keep a record of processing activities, if you have more than 250 employees, or if you meet one of these three conditions:

  1. If you process personal data and this processing is not incidental. In practice, processing is rarely incidental. Consider, for example, the personal details of employees that you process. Or your clients, customers, patients or residents and / or;
  2. If you process personal data that involves a high risk for the rights and freedoms of the persons whose personal data you process and / or;
  3. If you process personal data that fall under the category of special personal data. Examples are data on religion, health and political preference, or criminal data.

It does not matter whether you are controller or processor. If you meet these conditions, you must keep a register. In practice, almost every company with several employees has to keep a register because they meet condition 1.

The register is not public and does not need to be shared or tested in advance. The Autoriteit Persoonsgegevens or other supervisory authority can ask for it if they want more information. This can happen, for example, after you have reported a data breach. You may choose in which tooling or format you keep it. In our experience it is useful to start in Excel.

Download the free template

Via this link you can download the register of processing activities. The register can be used free of charge according to the Creative Commons principle. You may use, modify, transmit, as long as you refer to ictinstitute.nl.

The register consists of several tabs that exactly match the legally required elements. You can use the first tab to determine whether you need a register. The last tab contains the literal legal text from the GDPR. This allows you to check whether your register meets the legal requirements.

More information

The article GDPR in ten steps, describes the actions you need to take to comply with the AVG. If you have any questions about this, we offer the basic privacy and GDPR training in which all steps are handled. We are making information available for all steps. We have an example procedure for reporting data leaks (Dutch) and also a free template processing agreement (Dutch). For more articles about privacy, visit our page with all privacy articles.

Image credit: Jan Kahanek via Unsplash.

Author: Joost Krapels
Joost Krapels has completed his BSc. Artificial Intelligence and MSc. Information Sciences at the VU Amsterdam. Within ICT Institute, Joost provides IT advice to clients, advises clients on Security and Privacy, and further develops our internal tools and templates.