The Danish Data Protection Agency is now halfway through issuing its guidelines on the General Data Protection Regulation. The guidelines in question concern the re-quirement of maintaining internal records of processing activities.
When the GDPR comes into force, data controllers and data processors as well as any representatives will be required to keep internal records of their processing activ-ities, such as HR administration.
The requirement regarding records of processing activities is based on the general theme of responsibility in the GDPR and replaces the requirement of notifying the Danish Data Protection Agency of various types of processing. Thus, it is no longer required that you on your own initiative notify the Agency of the processing of cer-tain types of personal data, including the current requirement of notification of HR administration. The Agency may instead request access to the relevant company’s records of processing activities.
The guidelines describe the information which the records must contain, including in-formation on the data controller, the purposes of the processing and a description of the categories of data subjects and categories of personal data to be processed. The records must be maintained in hard copy and electronically. Further, the guide-lines provide an example of how such records may be structured.
The guidelines are available here (in Danish).
The content of the above is not, and should not be a substitute for legal advice.