Controller of Data Processing:

Abbreviation:
Alias:
Dutch/French Name:
Address:
Statute:
KBO/BCE Number:
General Phone Number:
General E-Mail Address:
Website:

Data Protection Officer:

Address:
Phone number:
Cell:
E-mail:
Part of Staff:
Registry of processing activity
Controller of Data Processing:
Abbreviation:
Alias:
Dutch/French Name:
Address:
Statute:
KBO/BCE Number:
General Phone Number:
General E-Mail Address:
Website:
Data Protection Officer:
Address:
Phone number:
Cell:
E-mail:
Part of Staff:

Business Process/Processing Name of Business Process Owner of Process

Identification of Business Process Report the name and description of the business process. Identify the owner(s) (role) of the business process that the
processing activity is part of.
Name of Process Owner

(In the column below, the name of the processing activity is

repeated for the purpose of the readability of the registry.)
Functional Description of Processing Number Processing
Identification of and information about the processing Enter the internal ID of the processing activity. Enter the name/functional description of the processing
activity activity.

number, functional description, finality,legal basis, type of

processing and functional description
Purpose of Processing Basis for Processing Type of Processing*
Enter the purpose of the processing activity. Provide the legal basis for the processing activity. Indicate what type of processing is involved:

A list with types (indicative list of purpose types) with some A list of possible legal bases for processing, as mentioned in Mention the types that are relevant to the processing
standard purposes has been included on the Lists tab. GDPR Article 6, is provided in the Lists tab. activity (see the list ‘Processing Types’ in the Lists tab).
Enter ‘Normal’ if the type is not one listed under
Note: This list does not cover all situations. For instance, Clarify, if necessary (e.g. reference the statute, if the legal ‘Processing Types’ (see the Lists tab).
the DPA could decide that more precise information is basis is statutory).
required for a specified processing activity.
Data and Data Subjects Used Functional Data Category GDPR Data Category*
Details about the data being processed and the data Enter the functional data categories. Indicate whether data categories will be processed that
subjects whose data are being processed. require special attention.
An indicative list with standard purposes (‘Indicative List of
functional category, sensitive category of data processing, Functional Data Categories’) is included on the Lists tab. Choose ‘Yes’ if one of the data categories listed under ‘GDPR
data subject category, classification level, retention period, Data Categories’ (see Lists tab) is involved.
original source Note: This list does not cover all situations. For instance, Choose ‘No’ if none of the data categories listed under ‘GDPR
the DPA could decide that more precise information is Data Categories’ (see Lists tab) are involved.
required for a specified processing activity.
Data Subject Categories
Indicate the data subject categories.
Vulnerable Data Subject Category
Indicate whether the data subjects are considered a
vulnerable category
Choose ‘Yes’ if the data subjects involved are in a situation document [XX] for more information.
in which there is a lack of parity in the relationship between
the data subject and the controller, such as children,
employees, patients, etc.
Choose ‘No’ if none of the categories as mentioned above
are involved.
Classification Level
Indicate the classification level of the processing activity
according to the organization's classification system (choose
the highest in case multiple are involved). See the
Replace [XX] with the name of the document describing the
internal classification process.
Retention Period Data Combination Original Source
Provide the retention period for the processed data. Indicate if data from multiple datasets will be combined. Indicate the source of the data if not the data subjects
themselves.
Subprocessor Name No. of Data Processing Contract
Identify the subprocessor (outsourcing contractor) involved Enter the name of the processing activity. Add an official ID Enter the number/title of the data processing contact(s).
in the processing activity number, if known.

name, no. of data processing contract

Data Transfer
Information about possible data transfers to third parties
data categories, recipient categories, third
country/international organization, documentation of
appropriate safeguards
Data Categories Recipient Categories
Where appropriate, indicate the data categories being Where appropriate, indicate what categories of recipients
transferred. are involved.
An indicative list (‘Recipient Categories’) with some
standard purposes are available in the Lists tab.
Note: This list does not cover all situations. For instance,
the DPA could decide that more precise information is
required for a specified processing activity.
Third Country/International Organization Nature of Transfer to Third Country/International
Where appropriate, indicate the third
countries/international organizations involved in the data
transfer.
Definition of a ‘third country:’ all countries outside of the
European Union (EU) and the European Economic Area
(EEA).
Documents
Organization
for Appropriate Safeguards
Where appropriate, indicate the nature of the transfer to In case of data transfer to a third country/international
third countries/international organizations. organization & transfer based on GDPR Article 49(2), list the
documents that clarify the appropriate safeguards and
A list of possibilities is available on the Lists tab. where these documents are stored.

Definition of ‘international organization:’ an organization

and its subordinate bodies governed by public international
law, or any other body which is set up by, or on the basis of,
an agreement between two or more countries.
Technology Description Risk & Mitigating Measures
Description of the technologies, applications, and software Indicate how the processing activity will be performed. Information about the risk and mitigating measures related
employed in the processing activity. to the data processing
Which technologies (e.g. cloud based, block chain, etc.),
applications or software are employed for the processing risk, description of protective measures, documentation of
activity? protective measures, DPIA
Risk Description of Mitigating Measures
Indicate the inherent risk to the fundamental rights and Provide a general statement of the technical and
freedoms of data subjects. organizational security measures taken specifically for the
processing activity.
Technical and organizational security measures taken at
business level do not need to be mentioned specifically. For
these simply list ‘Standard measures.’
Documentation
Reference the document that contain descriptions of the
‘Standard measures’ and of the technical and organizational
security measures taken specifically for the processing
activity.
DPIA Results Data Subject Rights Data Subject Notification
If the processing activity probably entails a high risk for the Reference the documents that determine the procedures Indicate how data subjects are notified that their data have
fundamental rights and freedoms of data subjects, a DPIA intended to guard the rights of data subjects. been registered.
must be completed (GDPR Article 135).

Reference the result of the DPIA as well as the document

containing the DPIA.
Procedure for Exercising Rights Status Processing Start Date
Indicate which document describes this procedure. Information about the status of the processing activity: Processing start date
Indicate, where appropriate, which special measures have start date, end date, and alternate processing activity.
been taken for this processing activity with respect to
exercising the rights of data subjects.
Processing End Date Alternate Processing Activity Date of Last Update
Processing end date, if applicable. By filling in this date, you Where appropriate, reference the number of the Date of the last update of information regarding this
are declaring that processing ceases as of that date. Strike processing activity that replaces the terminated activity. processing activity in this registry.
out the entire line. This creates a history in the registry.

This may be of use when the legal basis of a processing

activity shifts, for instance as the result of a statutory
change.
Comments
Write down any comments/points of action regarding the processing activity.
This tab provides several lists that may be of use to you as you fill out this registry.
These lists are only indicative, both regarding the level of detail and their
completeness. It is the controller’s responsibility to provide more detailed
information regarding the processing activity, if necessary.
Click on the ‘+’ next to the list name to expand the list.

Indicative List of Purpose Types

Purpose
General Purposes
HR

Personnel management
Task management
Workplace monitoring

Customer management

Combating fraud and customer breaches

Claims management
Vendor management

Donation collection
Public relations
Business intelligence
Registration and administration of shareholders or partners

Member management
Security

Dispute management
Protection of society, the industry, or the organization
Government Purposes
Taxes

Subsidies

Permits

Processing performed by local government

Elections
Immigration administration
Land registry
Government records

Justice and Law Enforcement

Public safety
Criminal enforcement
Regulatory enforcement
Judicial administration
Criminal records
Defending clients

Education
Student administration

Student counseling

Culture and Well-Being

Library Management
Public counseling
Employment counseling
Government Benefits
Administration of eligible recipients
Health Care
Patient care

Medical coding
Patient records
Registering risk groups
Organ donor registration

Medication inventory management

Primary or secondary scientific research the purpose of which is consistent with the original collection purpose
Epidemiological research
Biomedical research
Patient care evaluation

Scientific research

Market research

Historical research

Genealogy

Statistical research
Banking and Financial Services, Insurance
Account management

Wealth management

Corporate finance
Lending

Credit management

Global customer overview

Brokerage services

Management of personal insurance

Management of group insurance

Management of insurance against fire, accidents and various dangers

Industrial accident insurance

Management of elevated risks

Trade
Direct marketing

Trade in commercial intelligence

Other Purpose
Other purpose
Basis for Processing
Basis for Processing
Data subject consent

Necessary for the performance of a contract

Legal obligation

Protection of the vital interests of the data subject

Task carried out in the public interest or in the exercise of official authority

Legitimate interests pursued by the controller or by a third party

Indicative List of Functional Data Categories

Functional Data Category
Identification data
PII

Identification information assigned by government institutions, other than

the social security number
Electronic identification data
Electronic localization data
Biometrical identification data

Special financial data

Financial identification data
Financial means

Debts and expenditures

Solvency
Loans, mortgages, lines of credit

Financial assistance
Insurance policy details

Pension plan details

Financial transactions

Compensation
Professional activities

Agreements and settlements

Permits
Personal characteristics
Personal details
Military details
Immigrant status
Physical details
Physical description
Private habits
Habits
Lifestyle
Travel and movement details
Social contacts
Possessions
Public mandates

Complaints, incidents, or accidents

Distinctions
Media use
Psychological details
Psychological descriptions
Composition of the family
Marriage or current form of cohabitation

Marital history

Details regarding other family or household members

Leisure pursuits and interests

Leisure activities and interests
Memberships
Memberships (other than professional, political, or in trade unions)

Categories of legal data

Legal data related to suspicions

Legal data regarding convictions and sentences

Legal data regarding judicial actions
Legal data regarding administrative penalties

Legal data regarding DNA

Consumption habits
Rental data
Lending data
Residence data
Residence data

Health data
Physical health data

Mental health data

Data regarding risk situations and risk behavior
Genetic data related to population studies, genetic research, etc.
Recuperation data
Education and training
Academic curriculum

Financial overview of studies

Professional qualifications
Professional experience

Membership and/or participation in professional organizations

Publications
Profession and employment
Current employment

Recruitment

Work termination
Career
Absenteeism and discipline
Occupational medicine
Wages

Assets in possession of the employee

Work organization
Review
Training for the position

Security
Use of technology
Social Security Number
Social Security Number
Racial or ethnic data
Racial or ethnic data
Data about the sex life
Data about the sex life
Political opinions
Political tendency
Political affiliation
Membership in an interest group or militant organization
Membership in a trade union
Membership in a trade union
Philosophical or religious beliefs
Philosophical beliefs
Video recordings
Images
Surveillance images
Sound recordings
Sound recordings
Type of Processing
Enter ‘Normal’ if none of the types listed below apply.
Evaluation or review of people, including profiling and making prognoses
Automated decisions with legal consequences or similar substantial
consequences
Systematic monitoring (tracking, monitoring, or checking on the data
subject) (sound, photo, or video recordings)
Large-scale processing activities or processing activities with consequences
for a large number of stakeholders
Combining or merging of data collections that data subjects cannot
reasonably expect
Data processing that prevents data subjects from exercising a right, using a
service, or concluding a contract
Use of new technologies or application of technical and organizational
means
Systematic monitoring of a publicly accessible area on a large scale
GDPR Data Category
Special categories of personal data (GDPR Article 9)
Please note: in principle the processing of these are prohibited
Genetic data for the purpose of uniquely identifying a person
Biometric data for the purpose of uniquely identifying a person
Health data
Data revealing racial or ethnic origin
Data revealing political opinions
Data revealing religious or philosophical beliefs
Data revealing trade union membership
Data related to someone’s sex life or sexual orientation
Processing of personal data relating to criminal convictions and offenses (GDPR Article 10)
Personal data protected by professional secrecy
Data that are generally considered to entail an elevation of the possible risk for the rights
and freedoms of natural persons
Electronic communication data
Location data
Financial data
Information processed by a natural person in the context of purely personal or household
activities the publication or processing of which for any other purposes than household
activities may be considered as very intrusive

Indicative List of Recipient Categories

The data subject him- or herself
Personal relations of the data subject
Professional counselors of the data subject
Employer or business relations of the data subject
Individuals or organizations in a direct relationship with the controller
Other private enterprises
Public services
Courts and law enforcement
Government benefit offices
Banks and insurance companies
Personal data or direct marketing brokers
Others (please specify)
Nature of Transfer to Third Country/International Organization
Nature
Transfers on the basis of an adequacy decision
Transfers on the basis of appropriate safeguards
Transfers on the basis of BCRs
Transfers on the basis of an exemption for specific situation
Transfer on the basis of the requirements of GDPR Article 49(2)
out this registry.

Explanation

Recruitment and selection of employees and intermediaries (brokers, independent representatives, etc.).
Payroll administration, remunerations, commissions, and wages. Application of social legislation.
Evaluation and management of employees and intermediaries. Planning of training and career.
Planning and management of tasks, work loads and performance.
Monitoring the professional activities in the workplace via CCTV or IT systems, such as monitoring of
email, Internet usage, telephones, etc.
Customer administration, management of orders, deliveries, invoicing of material and immaterial
services. Solvency monitoring. Personalized marketing and advertising. Registering customers of a
business and profiling them based on purchases.
Intended are activities to prevent and detect such acts.
Management of claims, including repayment of monies owed.
Vendor administration. Management of orders received and payment of vendors. Prospecting possible
vendors and their evaluation.
Donor administration for a club. Prospecting new donors.
This includes creating goodwill for the organization.
Analyzing competitors and potential partners.
Maintaining a registry of shareholders or partners. The administration of their financial and other
benefits.
The administration of members, volunteers and sympathizers of a club.
Data processing to ensure the safety of people or goods. Note: In principle, security cameras are subject
to the law of March 21, 2007 regarding the placement and use of security cameras (the ‘Camera Law’)
and may not be reported by means of this form. Please use the customized thematic form. More
information in this regard can be found at www.privacycommission.be (Caméras de surveillance et notre
vie privée / Bewakingscamera’s en onze privacy).

The management by natural persons, private bodies or public authorities of their own disputes.
Processing of data regarding persons that represent a certain risk, such as hooligans.

Levying taxes and the activities related to it: registering tax payers as well as calculating, collecting, and
tracking taxes.
Granting subsidies and the related activities: researching eligible recipients as well as calculating, paying,
and tracking subsidies.
Granting permits and the related activities: researching eligible recipients and tracking the requirements.

Processing activities performed by local government, such as processing related to population registers,
personal IDs, civil registry records, etc.
Maintaining voter rolls and organizing elections.
Maintaining an immigrant registry and tracking residence permits.
Creating and updating a registry of properties, levying property taxes and providing tax certificates.
 Management of the correspondence between the government service and the people who have
voluntarily communicated with the service. Managing the data of people with whom the government
service is not in a profitable relationship.

Collecting and tracking information about people deemed to be a risk to public safety.
Detecting and tracking people suspected of crimes.
Preventing violations of and supervising compliance with laws and regulations.
Maintaining rolls and registers.
Registering criminal convictions.
Management of criminal cases and interests by lawyers or other legal counselors in the interests of their
clients.

Creating a student database, organizing the curriculum and the exams, registering results and decisions.
Calculating, invoicing and collecting of monies owed. Relations with alumni.
Providing guidance counseling to students regarding their intellectual development, their psychological
problems, and selecting career paths.

Registering members of a library in a database, tracking their loans.

Providing material and/or psychological counseling to people in need.
Counseling of unemployed persons and their training for new employment.

Collecting contributions, determining and awarding government benefits, including welfare assistance.

The diagnosis and paramedical treatment of patient, including the evaluation of the provided and yet to
be provided care for the purpose of improving the quality of care offered to patients.
Tracking of in-patient care and treatment for the purpose of invoicing.
Registering medical and in-patient information for management purposes.
Identifying and monitoring persons with elevated medical risks.
Creating databases of people willing to be organ donors as well as the promotion and use of such a
database.
Data processing related to the prescription and delivery of medication.
consistent with the original collection purpose
Research into the spreading of medical risk, morbidity, and mortality.
Research into the causes of medical pathology and the effect of medical treatments. Clinical trials.
Collection and processing of all data related to medical and paramedical diagnostics as well as
therapeutic practices provided to patients for the purpose of improving the quality of care practices.
Any act intended to determine paradigmatical, behavioral, and causal connections that are greater than
the individuals to which they are related. Aimed at describing global phenomena.
Studies related to the buying behavior, preferences and purchase intentions of people for the purpose of
determining market strategies.
Processing of personal data from private or public archives for the purpose of analyzing a historical event
or enabling such an analysis.
Processing of personal data for the purpose of constructing a family tree or genealogical tree, family
register or family list, etc.
Any act intended to collect and process personal data necessary for statistical questionnaires or for
delivering a statistical result (e.g. general announcement, help in planning and decision-making and in
the service of science).
The management of individual debit and savings accounts, whether or not a credit balance is present,
belonging to customers of the financial institution. These activities include the payment transactions
related to the account.
This refers to the totality of actions performed by a bank, whether or not in a discretionary manner, in
counseling customers in the management of their estate.
Providing services related to the distribution of capital, selling of shares, takeovers, and mergers.
This refers to the totality of actions related to the estimation of risks incurred by a bank when granting
credit, regardless of the nature of the credit.
This refers to the actions related to the monitoring and repayment of credit balances, including claims
and the actions related to those claims, regardless whether a third party is involved.
The integration of all or part of processed data in the context of one of the finalities that are specific to
the banking industry. This is for the purpose of coming to a conclusion of the overall profitability of
customers and whether or not banking products or services customized to their needs shall be offered
and to help the banking institution, in a general sense, to take the necessary decisions with regard to its
customers.

The mediation between customers and financial institutions specializing in insurance, credit, stock
exchange products, etc.
Insuring persons against uncertainties that damage the physical integrity or the family circumstances of
persons. Risk analysis, management of policies, premiums and compensation. Reinsurance and dispute
management.
The group variant of personal insurance.
Insuring customers against damage to goods and possessions or against their liability for damage caused
to third parties. Risk analysis, management of policies, premiums and compensation. Reinsurance and
dispute management.
Insuring employers against damage incurred by employees during work-related accidents. Risk analysis,
management of policies, premiums and compensation. Reinsurance and dispute management.
Preventive research.
Processing of data across various branches of insurance regarding persons with an elevated risk for the
purpose of avoiding unacceptable risks and fraud.

Canvassing, activities and services offered to population segments by commercial companies, charities,
or other clubs or foundations, including those of a political nature. The means of communication for
these actions can be mail, telephone or other direct means (e.g. email).
It is of no importance whether the addressee is already a customer or not.

Sale after data processing, published by official sources (such as the Moniteur Belge/Belgisch Staatsblad),
in combination with data acquired from other institutions.

To be described by the controller.

Explanation
The data subject has given consent to the processing of his or her personal data for one or more specific
purposes (GDPR Article 6(1)(a)).
Note that the consent must meet the requirements as determined by GDPR Article 7.
The processing is necessary for the performance of a contract to which the data subject is party or in
order to take steps at the request of the data subject prior to entering into a contract (GDPR Article 6(1)
(b)).
The processing is necessary for compliance with a legal obligation to which the controller is subject
(GDPR Article 6(1)(c)).
The processing is necessary in order to protect the vital interests of the data subject or of another natural
person (GDPR Article 6(1)(d)).
The processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller (GDPR Article 6(1)(e)).

The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a
third party, except where such interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal data, in particular where the data
subject is a child (GDPR Article 6(1)(f)).

Explanation

Name, title, address (work and home), former addresses, telephone number (work and home), IDs
assigned by the controller.

ID card number, passport number, drivers license number, license plate number, etc.
IP addresses, cookies, connection moments, etc.
Cell tower data, GPS data, etc.
DNA data, finger and voice prints, iris scans, facial recognition, finger or hand shape recognition, dynamic
signatures, etc.

ID numbers, bank account numbers, credit or debit card numbers, secret codes.
Income, possessions, investments, total income, professional income, savings, start and end dates of
investments, investment income, debts owed on assets.
Total expenditures, rent, loans, mortgages and other forms of credit.
Evaluation of the income, of the financial statute, of solvency.
Nature of the loan, the amount borrowed, remaining balance, start date, loan period, interest rate,
payment overview, details regarding the guarantees.
Benefits, assistance, gifts, subsidies.
Nature of the insurance policy, details regarding the covered risks, insured amounts, insured period,
termination date, payments made, received, or missed, status of the agreement.
Effective date of the pension plan, nature of the plan, termination date of the plan, received and made
payments, options, beneficiaries.
Amounts paid and payable by the data subject, awarded credit lines, sureties, payment method, payment
overview, deposits and other guarantees.
Details regarding claimed compensations, paid amounts or other types of compensation.
Professional activities performed by the data subject: nature of the activity, nature of the goods or
services used or delivered by the person in the record, business relations.
Details regarding settlements or trade agreements, agreements regarding representation or legal
agreements, details regarding agents.
Permits held by data subjects.

Age, sex, date of birth, place of birth, marital status, nationality.

Military statute, military overview, military distinctions.
Details regarding the visa, work permit, residence or movement limitations, special conditions related to
the residence permit.
Height, weight, hair color, eye color, distinguishing characteristics.

Tobacco use, alcohol use.

Details regarding the use of goods or services, behavior by the data subjects or their family members.
Information regarding former residences and movement, travel visa, work permits.
Friends, business partners, relationships with persons other than close family members.
Land, property or other possessions.
Functions within the local, regional, national or federal government, participation in government
committees, working groups, or deliberative bodies, etc.
Information regarding an accident, incident, or complaint in which the data subject is involved, the
nature of the damage or injuries, involved persons, witnesses.
Civil, clerical, or military distinctions.
Use of media and means of communication.

Opinions regarding personality or character.

Name of the spouse or partner, maiden name of the spouse or partner, wedding date, date of the
cohabitation contract, number of children, etc.
Details regarding previous marriages or partnerships, divorces, separations, names of previous partners.

Children, dependents, other members of the household, other close blood relatives, parents and
descendants.

Hobbies, sports, other interests.

Memberships in charitable or benevolent organizations, clubs, partnerships, unions, organizations,

groups, etc.

Suspicions of violations, conspiratorial connections with known criminals. Inquests or judicial actions
(civil or criminal) undertaken by or against the data subject.
Convictions and sentences.
Guardianship, temporary administratorship, internment, placement.
Administrative penalties:
* purely disciplinary in nature;
* those that can be imposed on people who are not in public service but cooperate with them
(physicians, pharmacists, paramedics, contractors of public works);
* those that can be imposed on people using public services;
* those that can be imposed for failure to comply with statutory or regulatory measures, e.g. littering on
the public road.

DNA data processed in the context of the law dated March 22, 1999 related to identification procedures
through DNA analysis in criminal proceedings.

Details regarding the goods and services provided, loaned, or rented to the data subject.
Details regarding the goods and services provided, loaned, or rented by the data subject.
Address of the residence: nature of the residence, owned or rented property, duration of the residency
at that address, rent, costs, classification of the residence, details regarding valuation, names of people
who are in possession of keys.

Medical file, medical report, diagnostic information, treatment, results of analysis, handicap or infirmity,
diet; other special demands related to the health when managing a trip or a residence.
Medical file, medical report, diagnostic information, treatment, results of analysis.
Risk situations and risk behavior.
Genetic data related to population studies, genetic research, etc.
Data related to the means and procedures used during a medical and paramedical treatment.

Overview of schools, institutions, colleges, and universities attended, nature of the completed courses,
diplomas or certificates pursued, exam results, other diplomas awarded, evaluation of study progress.
Enrollment fees and paid costs, funding, payment methods, payment records.
Certificates and professional trainings, special licenses (engineer’s license, etc.).
Professional interests, research interests, academic interests, specializations, teaching experience,
consultations.
Details regarding the groups, committees or commissions involved, functions held, special interests, and
participation records.
Books, articles, reports, published audiovisual materials.

Employer, title and role description, seniority, recruitment date, work location, specialization or company
type, work modes and conditions, former positions and prior work experience at the same employer.

Recruitment date, recruitment method, recruitment source, references, details related to the
probationary period.
Termination date, reason, notice period, termination conditions.
Prior employment and employers, periods without employment, military service.
Absenteeism records, reasons for being in absentia, disciplinary measures.
Diminished work capacity resulting from a work accident, first-aid certification.
Payments and deductions, salary, commissions, bonuses, expenditures, grants, advantages, loans, tax
withholdings, FICA withholdings, union contributions, payment methods, date of most recent salary
increase.
Car, tools, spare parts, reference tools, other objects in possession of the employee.
Current responsibilities, projects, billable hours, hourly wage, hours worked.
Performance review, possibilities.
Details regarding the training required and received for the position as well as the qualifications and
authority obtained.
Passwords, security codes, levels at which permissions are granted.
Evaluation of the use of technology (Internet, email, etc.).

Social Security Number

Racial or ethnic data

Sexual orientation, etc.

Political convictions, party preference.
Membership in a political party, political functions currently held.
Membership in or support for an interest group or militant organization.

Membership in a trade union or similar organization, functions held.

Philosophical or religious beliefs

Camera recording, photographic recording, video recording, digital photos, etc.

Images of security cameras.

Tape recordings, phone recordings, etc.

Organization
Explanation
GDPR Article 45
GDPR Article 46
GDPR Article 47
GDPR Article 49(1)
GDPR Article 49(2)
General information
Click on the ‘+’ to expand a category.
Red column headings indicate required information under the GDPR.
Processing activities with start date May 24, 2018 were performed before the GDPR became applicable.
Click on the column headings to filter the processing activities.
How to fill in this registry?
This registry is not meant as a purely administrative tool but has been developed as a guide for the organization for the
various points of attention under the GDPR in the context of the processing of personal data.
Fill in the registry from left to right.
Start with the business process and then identify which processing activities are performed in connection with these
processes.
If a business process contains multiple processing activities, these should be entered on separate lines in the registry if
they have a different purpose or legal basis.
If a certain processing activity is no longer performed, you should enter an end date and strike out the processing
activity.
For processing activities that started before May 25, 2018 you should enter May 24, 2018 as the start date.
Enter N/A if a certain column is not applicable for a specific processing activity.
Column heading in registry
Processing
Purpose of Processing
Basis for Processing
Functional Data Category
Data Subject Categories
Retention Period
Data Categories
Recipient Categories
Third Country/International
Organization

Documents for Appropriate Safeguards

Description of Mitigating Measures

Data Subject Notification

Procedure for Exercising Rights
Section in the declaration form
1. Name of the processing activity
2. Purpose or entirety of related purposes of the data processing
4. Statutory or regulatory basis or bases
3. Data categories being processed
Information not contained in the declarations
10. Planned retention period
5. Recipient categories and data categories that can be provided
5. Recipient categories and data categories that can be provided

12. Data sent abroad

6. Which measures have been taken to protect data shared with third parties? (Note: Only applicable for the
situation described in GDPR Article 49(2))
11. General description of security measures
6. Which measures have been taken to protect data shared with third parties? (in case data are transferred)
7. How are data subjects notified that their data have been registered?
9. Special measures taken for the exercising of rights