Record of processing activities - Tutorial

In order to help with the maintenance of the records, CNIL proposes a template of a simplified record of processing
needs in terms of data processing, in particular the ones concerning small businness.

This document aims to identify the personal data processing operations carried out in your organisation as a control
updated, it will allow you to meet the requirement to maintain a record of processing as set out in the GDPR.

Your record will be consist of a processing list (tab 2) and, at least, of one record form (tab 3).

► For more information on records of processing, you can consult the dedicated page on the CNIL website.

► Once you have completed the inventory of your processing activities, you will be able to identify the actions to be taken in

Do you need help with the GDPR?

► Feel free to consult the Practical Guide to GDPR Awareness,available on the CNIL website (in French)

In some cases, comments will be provided to help you complete your record (red triangle in the cell).

Document composition

► Tab 2 "Processing list"

This tab allows you to list all the activities of your organization that require the processing of personal data. With thi
your data processing.

► Tab 3 "Template of a record of processing form"

You must create and maintain one record of processing form per operation. Replicate and complete this template as
This
► Tabsection provides of
4 "Example an a
example
completedof howrecord
to shape
ofand edit a record
processing of processing form. This example, however, is ba
form"
should not to be repeated as it is, but to be adapted according to your processing.
et the most common

and regularly

pliant with the GDPR.

ave a first overview of

necessary.
us processing and
 Last name: Name: Address :
Contact details of the
responsible for the organisation
(controller itself or its representative
if the controller is located outside
the EU) Zip code: Town: Phone number:

Contact details of the Last name: Name: Address :

representative
(controller itself or its representative
if the controller is located outside
Zip code: Town: Phone number:
the EU)

Organisation (if
Last name: Name:
external DPO)
Contact details of the Data
Protection Officer (DPO)
Zip code: Town: Phone number:

Processing details Purpose of the data processing

Date of
Last update of
Name of the processing creation of
N° / REF the record
operation the record
form
form
Payroll management, Calculation of remunera
Calculation of the amount of payments sent to
(EXAMPLE) Payroll Management 1-Example May 25, 2018 May 13, 2018
security institutions.
 Email address:

Email address:

Address :

Email address:

the data processing Special categories of personal data?

Yes/No

alculation of remuneration,
nt of payments sent to social
No
Template of a record of processing form
This tab is a template of an operational form to be reproduced, adapted and completed according to your a
your record form (red triangle in the cell).

Description of the processing operation

Name of the processing operation

N° / REF

Data of creation of the processing

Update of the processing

Stakeholders Name

Controller

Data protection officer

DPO's Organisation (if external DPO)

Representative

Joint controller(s)

Purpose(s) of the data processing

Main purpose

Sub-purpose 1

Sub-purpose 2

Sub-purpose 3

Sub-purpose 4

Sub-purpose 5

Categories of personal data Description

Marital status, ID, identification data, images...

Personal life (lifestyle, family situation, etc.)

Page 5 de
Economic and financial information (income, financial
situation, tax situation, etc.)

Connection data (IP address, logs, etc.)

Location data (movements, GPS data, GSM, etc.)

Social Security Number (or NIR)

Special categories of personal data Description

Data revealing racial or ethnic origin

Data revealing political opinions

Data revealing religious or philosophical beliefs

Data revealing trade union membership

Genetic data
Biometric data for the purpose of uniquely identifying a
natural person
Data concerning health
Data concerning a natural person's sex life or sexual
orientation
Data relating to criminal convictions and offences

Categories of data subjects Description

Category 1 Select an item from the list ►

Category 2

Recipients Type of recipient

Recipient 1 Select an item from the list ►

Recipient 2

Recipient 3

Recipient 4

Security measures Type of security meas

Page 6 de
 Security measure 1 Select an item from the list ►

Security measure 2

Security measure 3

Transfers to third countries or

Recipient
international organisations

Recipient organisation 1

Recipient organisation 2

Recipient organisation 3

Recipient organisation 4

Page 7 de
mpleted according to your activity for each processing operation. In some cases, comments will be provided to

Address ZIP Code Town Country

Description Data retention period

Page 8 de
 Description Data retention period

Description Details

m the list ►

Type of recipient Details

m the list ►

Type of security measure Details

Page 9 de
m the list ►

Country Type of guarantees Links to relevant docu

Select an item from the list ► Select an item from the list ►

Page 10 de
ts will be provided to help you complete

Phone number

etention period

Page 11 de
etention period

Details

Details

Details

Page 12 de
inks to relevant documents

Page 13 de
to help you complete

Email address

Page 14 de
Page 15 de
cuments

Page 16 de
Example of a completed record of
processing form
This example is based on a fictitious processing and should not to be repeated as it is, but to be adapted ac

Description of the processing operation

Name of the processing operation Payroll management

N° / REF1 - Example

Data of creation of the processing May 26, 2018

Update of the processing May 13, 2019

Stakeholders Name

Controller Louise DUPONT

Data protection officer Martin HENRI

DPO's Organisation (if external DPO) N/A

Purpose(s) of the data processing

Main purpose Payroll management

Sub-purpose 1Calculation of remuneration

Sub-purpose 2Calculation of the amount of payments made to so

Sub-purpose 3Transfer orders to the bank

Categories of personal data Description

Marital status, ID, identification data, images... Last names, names and addresses

Economic and financial information (income, financial

Bank account details
situation, tax situation, etc.)

Social Security Number (or NIR) Social security numbers of the employees

Categories of data subjects Description

Page 17 de
 Catégorie de personnes 1 Employees

Recipients Type of recipient

Recipient 1 Internal department that processes the concerned

Recipient 2 Institutional or commercial partners

Recipient 3 Recipients in third countries or international orga

Security measures Type of security measure

Security measure 1 Software protection measures

Security measure 2 Data backup

Security measure 3 User access control

Transfers to third countries or

Recipient
international organisations
Recipient organisation 1 Bank of Andorra

Page 18 de
 ted as it is, but to be adapted according to your processing (cf. tab 3).

nt

Address ZIP Code Town Country

1 rue Rivoli 75001 Paris France

1 rue Rivoli 75001 Paris France

nt

uneration

amount of payments made to social security organisations

the bank

Description Data retention period

5 years from the payment of the salary

and addresses

5 years from the payment of the salary

ls

5 years from the payment of the salary

mbers of the employees

Description Details

Page 19 de
 Type of recipient Details

nt that processes the concerned data Administrative and Financial Department

Social organisations
mmercial partners
Bank of Andorra
countries or international organisations

Type of security measure Details

n measures

Country Type of guarantees Links to the related docu

Andorra Standard contractual clauses (SCC) Agreement dated January

Page 20 de
 Phone number

01 xx xx xx xx

01 xx xx xx xx

retention period

alary

alary

alary

Details

Page 21 de
 Details

partment

Details

Links to the related documents

eement dated January 23, 2011.

Page 22 de
1-Example

Email address

[email protected]

[email protected]

Page 23 de
 documents

uary 23, 2011.

Page 24 de
Guarantees Country Zone

Select an item from the list ► Select an item from the list ►
Standard contractual clauses (SCC) Andorra adéquat
Binding corporate rules (BCR) Argentina adéquat

Country providing an adequate level of protection Canada adéquat

Privacy Shield United States adéquat
Code of conduct Guernesey adéquat
Certification Isle of Man adéquat
Derogations (Article 49) Faroe Islands adéquat
Israel adéquat
Jersey adéquat
New Zealand adéquat
Switzerland adéquat
Uruguay adéquat
Afghanistan Non adéquat
Albania Non adéquat
Algeria Non adéquat
Angola Non adéquat
Antigua & Barbuda Non adéquat
Armenia Non adéquat
Australia Non adéquat
Azerbaijan Non adéquat
Bahamas, The Non adéquat
Bahrain Non adéquat
Bangladesh Non adéquat
Barbados Non adéquat
Belarus Non adéquat
Belize Non adéquat
Benin Non adéquat
Bermuda Non adéquat
Bhutan Non adéquat
Bolivia Non adéquat
Bosnia & Herzegovina Non adéquat
Botswana Non adéquat
Brazil Non adéquat
Brunei Non adéquat
Burkina Faso Non adéquat
Burma Non adéquat
Burundi Non adéquat
Cambodia Non adéquat
Cameroon Non adéquat
Cape Verde Non adéquat
Central African Rep. Non adéquat
Chad Non adéquat
Chile Non adéquat
China Non adéquat
Colombia Non adéquat
Comoros Non adéquat
Congo, Dem. Rep. Non adéquat
Congo, Repub. of the Non adéquat
Costa Rica Non adéquat
Cote d'Ivoire Non adéquat
Cuba Non adéquat
Djibouti Non adéquat
Dominica Non adéquat
Dominican Republic Non adéquat
East Timor Non adéquat
Ecuador Non adéquat
Egypt Non adéquat
Equatorial Guinea Non adéquat
Eritrea Non adéquat
Ethiopia Non adéquat
Fiji Non adéquat
Gabon Non adéquat
Gambia, The Non adéquat
Georgia Non adéquat
Ghana Non adéquat
Gibraltar Non adéquat
Grenada Non adéquat
Groenland Non adéquat
Guatemala Non adéquat
Guinea Non adéquat
Guinea-Bissau Non adéquat
Guyana Non adéquat
Haiti Non adéquat
Honduras Non adéquat
Hong Kong Non adéquat
India Non adéquat
Indonesia Non adéquat
Iran Non adéquat
Iraq Non adéquat
Jamaica Non adéquat
Japan Non adéquat
Jordan Non adéquat
Kazakhstan Non adéquat
Kenya Non adéquat
Kiribati Non adéquat
Korea, North Non adéquat
Korea, South Non adéquat
Kosovo Non adéquat
Kuwait Non adéquat
Kyrgyzstan Non adéquat
Laos Non adéquat
Lebanon Non adéquat
Lesotho Non adéquat
Liberia Non adéquat
Libya Non adéquat
Macedonia Non adéquat
Madagascar Non adéquat
Malawi Non adéquat
Malaysia Non adéquat
Maldives Non adéquat
Mali Non adéquat
Marshall Islands Non adéquat
Mauritania Non adéquat
Mauritius Non adéquat
Mexico Non adéquat
Micronesia, Fed. St. Non adéquat
Moldova Non adéquat
Monaco Non adéquat
Mongolia Non adéquat
Montenegro Non adéquat
Morocco Non adéquat
Mozambique Non adéquat
Namibia Non adéquat
Nauru Non adéquat
Nepal Non adéquat
Nicaragua Non adéquat
Niger Non adéquat
Nigeria Non adéquat
Oman Non adéquat
Pakistan Non adéquat
Palau Non adéquat
Palestine, State of Non adéquat
Panama Non adéquat
Papua New Guinea Non adéquat
Paraguay Non adéquat
Peru Non adéquat
Philippines Non adéquat
Puerto Rico Non adéquat
Qatar Non adéquat
Russia Non adéquat
Rwanda Non adéquat
Saint Kitts & Nevis Non adéquat
Saint Lucia Non adéquat
Saint Vincent and the Grenadines Non adéquat
Salomon Islands Non adéquat
Salvador Non adéquat
Samoa Non adéquat
San Marino Non adéquat
Sao Tome & Principe Non adéquat
Saudi Arabia Non adéquat
Senegal Non adéquat
Serbia Non adéquat
Seychelles Non adéquat
Sierra Leone Non adéquat
Singapore Non adéquat
Somalia Non adéquat
South Africa Non adéquat
South Sudan Non adéquat
Sri Lanka Non adéquat
Sudan Non adéquat
Suriname Non adéquat
Swaziland Non adéquat
Syria Non adéquat
Taiwan Non adéquat
Tajikistan Non adéquat
Tanzania Non adéquat
Thailand Non adéquat
Togo Non adéquat
Tonga Non adéquat
Trinidad & Tobago Non adéquat
Tunisia Non adéquat
Turkey Non adéquat
Turkmenistan Non adéquat
Tuvalu Non adéquat
Uganda Non adéquat
Ukraine Non adéquat
United Arab Emirates Non adéquat
Uzbekistan Non adéquat
Vanuatu Non adéquat
Venezuela Non adéquat
Vietnam Non adéquat
Western Sahara Non adéquat
Yemen Non adéquat
Zambia Non adéquat
Zimbabwe Non adéquat
Categories Recipients
Select an item from the
list ► Select an item from the list ►
Employees Internal department that processes the concerned data
Internal services Processors
Recipients in third countries or international
Customers organisations
Suppliers Institutional or commercial partners
Service providers Other (specify)
Potential customers
Applicants
Other (specify)
 Security measures
Select an item from the list ►
he concerned data Traceability measures
Software protection measures

Data backup
Data encryption
User access control
Control of processors
Other measures (specify)