Register of personal data processing: what does the CNIL say?

"The GDPR is administrative red tape, but hey, we're going to do it, this register of personal data processing, since it's mandatory..."

Heard regularly by our teams of consultants, this phrase indeed reveals two major problems.

Firstly, the GDPR is thus equated with the register of personal data processing, which is of course false. GDPR compliance implies many other obligations, linked to documents or day-to-day actions. This assimilation of "register of processing = GDPR compliance" is as false as the classic assimilation "GDPR compliance = data security".

Secondly, this point of view clearly reveals the extent to which the register of personal data processing suffers from being understood as an unnecessary paperwork task... when it's quite the opposite! On the contrary, the register of personal data processing operations is a task that doesn't need to be formalised to any great extent, but it does have a number of benefits.

First of all, being GDPR-compliant means respecting people's privacy by ensuring a satisfactory level of control over the uses made of their personal data. And how can you control these uses if you don't know what they are?

You can't control what you don't know. The purpose of drawing up a register of personal data processing is not, therefore, to create additional documentation, but to ask the right questions about the processing (i.e. the uses) of personal data (after identifying them, of course).

The second major benefit of the register of personal data processing lies in the action plan that a processing sheet can contain. In a register of personal data processing, the areas for improvement in data processing must be included, thus enabling regular improvement in the level of control over these processes.

These areas of improvement may concern data security, of course, but also the provision of information to individuals, data minimisation, the management of the retention period for certain data, etc., right up to a study of the very usefulness of maintaining a processing operation!

The aim of setting up a resister of personal data processing is therefore not the documentation itself, but the use made of it. Building such a register is far from being a sterile action: keeping and regularly reviewing the register of personal data processing means that the right actions can be taken, to ensure control over the uses made of personal data.

So what exactly is a register of personal data processing?

The CNIL defines this register as an inventory and analysis document, intended to reflect the reality of your personal data processing, and enabling you to identify precisely:

• Stakeholders involved in personal data processing (representatives, subcontractors, co-responsible parties);

• The categories of data processed;

• The purpose of the processing (why you are processing the data) and the people who have access to the processed data (authorised access or data sharing);

• How long the processed data is kept;

• The technical security measures implemented to guarantee data confidentiality.

This documentation of your data processing then enables you to ask yourself the right questions: do you really need this data for your processing? Does it make sense to keep all this data for so long? Are the data you process sufficiently well protected?

Who is required to keep a register of personal data processing?

Everyone! This obligation applies to both private and public organisations, as long as they process personal data, regardless of their size!

Only organisations with fewer than 250 employees are not fully concerned by this obligation. The latter benefit from an exemption (or rather a reduction) allowing them to register only the following data processing operations:

• Regular data processing (e.g. payroll, employee management, supplier management, prospect management, etc.);

• Processing likely to entail a risk for the rights and freedoms of data subjects (e.g. geolocation systems, video surveillance);

• Data processing involving sensitive data (e.g. health data, data relating to criminal convictions, etc.).

In practice, this derogation is limited to very specific cases of processing, carried out on an occasional basis. For example, the launch of a communication campaign to mark the opening of a new establishment (provided, of course, that the data processing carried out poses no risk to data subjects). Data processing carried out in this context don't need to appear in the register of personal data processing, as it is occasional.

How does it work in the case of subcontracting?

Indeed, it is sometimes possible to outsource certain personal data processing operations to an external third party. For example, a company that delegates the management of its employees and their payroll to a subcontractor.

In this context, Article 30 of the GDPR lays down very specific obligations for the controller's register of personal data processing and for the processor's register.

Thus, if your organisation acts as both controller and processor, you are required to maintain two different registers of personal data processing for these two activities:

• A register for personal data processing for which you are responsible;

• And a second processing register for the personal data you process on behalf of your customers.

What form should this register of personal data processing take?

The GDPR requires this register of personal data processing to be in written form. However, no precise format is imposed, and the latter can be in digital or paper format.

Despite everything, it is important to ensure that you choose a format that allows for regular evolutions and updates of this register. Indeed, the register of personal data processing must be updated regularly, as data processing evolves. It is therefore important to choose a format that is suitable for such updates.

To conclude

The register of personal data processing is therefore often regarded as mandatory and rather restrictive documentation, as the usefulness and relevance of this document are still too little known.

Compliance with the GDPR implies respecting people's privacy through the control and satisfactory use of their personal data. To enable this control as well as this satisfactory use of personal data, it is essential that you list the data processed and analyse the processing carried out.

The register of personal data processing is therefore essential documentation for true compliance with the GDPR, and is a decisive element in your regulatory compliance.

Sources :

• Le registre des activités de traitement, CNIL

Related blog posts:

• "GDPR: purpose and objectives"

• "GDPR : who is concerned?"

• "The GDPR and the principles relating to the processing of personal data"

• "Legality of personal data processing: the different legal bases"

• "GDPR: Conditions applicable to consent and its exceptions"

Did you enjoy this blog post?

Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!

As part of our outsourced timeshare DPO service, our experts will support you in creating and maintaining your data processing register.

We need your answers!

By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.

Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!

Thank you for your responses!

Would you like to be informed of our news and receive our latest blog articles directly in your mailbox? Subscribe to our monthly newsletter!

Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!