As a new feature compared to the previous legal regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council, designated as GDPR (hereinafter referred to as the “Regulation”), introduces an obligation to maintain internal documentation on personal data processing activities. This obligation applies both to personal data controllers and to personal data processors or other persons participating in the processing of personal data. Given that internet traders will in most cases be in the position of personal data controller, we shall focus in this legal bulletin on the obligation in question precisely from this perspective.
The provision of the first sentence of Article 30(1) of the Regulation stipulates that “each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.” The preamble (recital) of the Regulation adds in point 82 that “each controller and processor should be obliged to cooperate with the supervisory authority and make those records available to it on request, so that it might serve for monitoring those processing operations.” It is therefore evident from the above that this concerns the trader’s internal documentation and the information contained in these records need not be published, also having regard to possible security implications (see below).
The second sentence of the provision of Article 30(1) of the Regulation then enumerates the substantive requirements of these records and is thus a certain guide as to how to prepare such documentation. Some of these substantive requirements are relatively simple to complete; however, others are of a more complex nature. Under point (a) of Article 30(1) of the Regulation, it is stipulated that the controller must state “the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer…” The case of a joint controller will not be frequent in the practice of internet traders. We then addressed in greater detail the issue of when internet traders may be required to appoint a data protection officer in one of the previous legal bulletins.
According to Article 30(1)(b) of the Regulation, the controller must capture in the documentation the purposes of the processing of personal data. The controller must already state the purpose or purposes of processing when fulfilling its information obligations towards data subjects, so it should have this information readily available (this applies analogously to a number of other substantive requirements mentioned below as well).
According to Article 30(1)(c) and (d) of the Regulation, there should be stated “a description of the categories of data subjects and of the categories of personal data” which are processed by the controller, and “the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries…” We assume that in most cases internet traders will not be transferring personal data to countries outside the European Union, as this is connected with additional requirements. However, if such a transfer to a so-called third country does take place, it is necessary to reflect in the documentation the related facts connected therewith, pursuant to the provision of Article 30(1)(e) of the Regulation. A further substantive requirement is the obligation to state (where possible) “the envisaged time limits for erasure of the different categories of data”.
The last substantive requirement stipulated in the provision of Article 30(1)(g) of the Regulation thus appears to be the most complex. This provision establishes the controller’s obligation to state (where possible) “a general description of the technical and organisational security measures…”, with regard to technical and organisational security measures a reference is made to Article 32(1) of the Regulation. The implementation of this specification will thus probably require the most time of the controller, with the fact that in practice this will also be the least standardised passage of the entire internal documentation (records of personal data processing activities).
For completeness, it is also possible to mention in conclusion that the media often cite in this context the exception pursuant to the provision of Article 30(5) of the Regulation; however, this will not apply to internet traders and the majority of other entrepreneurs, since their processing cannot, in our opinion, be designated as occasional.
Josef Aujezdský, advocate
Law Firm Mašek, Kočí, Aujezdský www.e-Advokacie.cz – online legal consultancy
This text was originally prepared by Law Firm Mašek, Kočí, Aujezdský in cooperation with the Association for Electronic Commerce (APEK) as legal bulletin No. 9/2017 intended for members of this association.
This text was translated from Czech to English using an AI translator.