The Danish Data Protection Agency is now halfway through issuing its guidelines on the General Data Protection Regulation. The guidelines in question concern the re-quirement of maintaining internal records of processing activities.
When the GDPR comes into force, data controllers and data processors as well as any representatives will be required to keep internal records of their processing activ-ities, such as HR administration.
The requirement regarding records of processing activities is based on the general theme of responsibility in the GDPR and replaces the requirement of notifying the Danish Data Protection Agency of various types of processing. Thus, it is no longer required that you on your own initiative notify the Agency of the processing of cer-tain types of personal data, including the current requirement of notification of HR administration. The Agency may instead request access to the relevant company’s records of processing activities.
The guidelines describe the information which the records must contain, including in-formation on the data controller, the purposes of the processing and a description of the categories of data subjects and categories of personal data to be processed. The records must be maintained in hard copy and electronically. Further, the guide-lines provide an example of how such records may be structured.
The guidelines are available here (in Danish).
The content of the above is not, and should not be a substitute for legal advice.
Must the Data Protection Agency be notified in case of an “internal” personal data breach?
The Data Protection Agency has expressed criticism of a municipality, inter alia, because the municipality had failed to notify a personal data breach to the Agency or communicate the breach to the affected employee.
Access to work emails? Can a request to access data be too extensive?
Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request if, for example, the scope of the request for access is excessive.