Privacy & Information Security Law Blog

On July 25, 2019, the French Data Protection Authority (the “CNIL”) published new template records of data processing activities pursuant to Article 30 of the EU General Data Protection Regulation (“GDPR”). This provision requires organizations subject to the GDPR to maintain internal records of data processing activities. The CNIL recalled that such records are a key accountability tool under the GDPR for identifying, understanding and controlling data processing activities. Setting up and maintaining these records provide businesses with the opportunity to ask the right questions and limit privacy risks under the GDPR. According to the CNIL, this is also a useful moment to set up a data protection compliance action plan.

The CNIL’s new template records of data processing activities is available in Open Document Spreadsheet (.ods) format – a format which is compatible with most spreadsheet applications (Microsoft Excel, OpenOffice Calc and LibreOffice Calc). The CNIL’s new template records include (1) a spreadsheet to list all the data processing activities of the organization concerned; (2) a spreadsheet that must be filled in per processing activity; and (3) an example of completed spreadsheet for a specific processing activity (i.e., processing of employee personal data for payroll administration), which was created by the CNIL to show how to fill in the records.

To learn more, please view the CNIL’s new templates records (available in French only).