Page 1

INSTRUCTIONS FOR
LIST OF
PROCESSING ACTIVITIES
1. In general
According to EU Data Protection Regulation 2016/679 (pvrg.) , each responsible party and processor
and, as the case may be, their representative, keep a record of their processing activities. For information that lists
processing activities must include, form of file, accessibility, etc. the provisions of Article 30 shall apply. of the Regulation.

2. Material covers processing activities
The processing list of the responsible party shall contain the following information:
1. Name and contact details of the guarantor and, as the case may be, the joint guarantor,
a representative of the data protection officer.
2. The purpose of the processing.
Description of categories of registered individuals and categories of personal information.
Categories of recipients who have received or will receive the personal information, e.g.
recipients in third countries or international organizations.
5. Where applicable, the disclosure of personal data to third countries or international organizations, including about which
third country or international organization and, in the case of mediation referred to in another
subparagraph 1 Article 49 pvrg., data on appropriate protection measures.
6. If possible, the proposed time limit for deleting different data categories.
7. If possible, a general description of the technical and organizational security measures in question
referred to in the first paragraph. Article 32 pvrg.
The processor's processing file shall contain the following information:
1. Name and contact details of the processor, one or more, and any responsible party
the processor acts on behalf of and, as the case may be, a representative of the guarantor or
processor and privacy officer.
2. Categories of processing carried out on behalf of each responsible party.

Page 2

3. Where applicable, the disclosure of personal data to third countries or international organizations, including about which
third country or international organization, and, in the case of a mediation referred to in
the second subparagraph of paragraph 1 Article 49 pvrg., data on appropriate protection measures.
4. If possible, a general description of the technical and organizational security measures provided
referred to in the first paragraph. Article 32 pvrg.
It should be noted that the responsible party shall enter into a production contract with each processing party. About content
of such processing agreements, reference is made to Article 28. pvrg., as well as the guidelines of the Data Protection Authority in this regard.

3. Our company / organization has less than 250 employees, we need to keep
processing file?
Companies and institutions with less than 250 employees are exempt from the obligation to hold
processing records for certain processes. The exemption, on the other hand, is very narrow and therefore will be
it is rare that it applies entirely to a company or institution.
Thus, companies and institutions with employees under 250 need to keep such a record if the processing is:
1. likely to pose a risk to the rights and freedoms of registered persons;
2. not incidental, or
3. cover specific categories of information, as referred to in paragraph 1. Article 9 pvrg., or
personal data relating to criminal convictions and criminal offenses referred to in 10.
gr. pvrg.
In practice and almost without exception, all companies and institutions must therefore keep records
its processing activities.
It is also worth mentioning that companies and institutions will in all cases benefit from mapping them
the processing of personal information that takes place there, as part of internal management and documentation.

4. How should we prepare a production file?
There is no formal requirement as to how the processing file should be presented, or what method should be used
used in its preparation. Companies and institutions therefore decide on the structure of the register themselves; whether it
is done by having a summary in the form of a written document, an Excel document, or otherwise. Must have though
note that the requirements regarding the content of process files must be complied with, and care must therefore be taken to
is fulfilled regardless of the form used.
The Data Protection Authority has, for example and guidance, prepared a form for the processing file for the responsible party.
on the one hand and the processor on the other. They can be used to get the necessary overview. It may be that who
the guarantor needs to adapt the file to his / her circumstances, as the guarantor's activities may be
very different in size and scope. It is good to keep in mind that the main purpose of the file is to get an overview
over the processing of personal information that takes place in the business, but not necessarily every single one
processing operation performed.
2
1st edition, May 2018

Page 3

The form for the guarantor contains more columns than is required by law. This is done because
that a better overview can be a good tool in the work of ensuring the company's follow-up
duties and rights of the data subject. It is then easier to answer questions from individuals who want to receive
information about what is recorded about them, where the information came from, and on what basis
the source information is processed. The overview is also useful when fulfilling persistent
obligation to provide information, for example with regard to privacy policy.

3
1st edition, May 2018

