News
π«π·No record of processing activities!
ππ π«π· The CNIL Sanctions Two Small companies for Lack of Processing Activity Records ππ π«π·
In 2024, the CNIL (French Data Protection Authority) sanctioned two companies with fewer than 250 employees for failing to maintain a register of processing activities, despite the fact that the data processing involved was not occasional.
β Violation Identified:
Violation of Article 30 – Absence of a Register of Processing Activities
- The companies failed to maintain a record of personal data processing activities, a mandatory document that lists all data processing operations.
- This register is essential for ensuring that collected data is adequate, relevant, and limited to the intended purposes.
π Why the Register is Important:
The record of processing activities must be written, either in paper or electronic form, and should include:
- Contact details of the data controller and, if applicable, the DPO
- Categories of data processed, purposes, legal bases, retention periods, possible transfers outside the EU
- Stakeholders involved (operational teams, data recipients, etc.) and the security measures in place
π Exceptions for Small Businesses:
Companies with fewer than 250 employees must maintain a register only for:
• Routine processing (e.g., client management, payroll)
• Processing that presents risks to individuals’ rights and freedoms (e.g., video surveillance, GPS tracking)
• Processing of sensitive data (e.g., health, etc.)