How detailed should processing operations be in the register? Is it sufficient to enter general categories such as "employee employment administration", or should they be broken down into more detailed operations, such as "working time records" or "settlements with employees"?

ANSWER

There are no uniform guidelines on the level of detail of the register or on how processing operations should be described, so its form should be adapted to the needs of the organisation. The register may be more general, divided into main data processing processes and then the purposes for which data are used, or more detailed, broken down into individual processes and operations. The final shape of the register depends on the size of the organisation, the type of data processed, and legal requirements, which may differ depending on the sector.

When creating the register, particular attention should be paid to specific processing operations, such as profiling, which may involve a significant risk of infringing the rights of data subjects. An example is the fine imposed by UODO on Toyota Bank. Such operations should be described accurately and analysed in detail to ensure compliance with GDPR requirements and proper protection of personal data. Nevertheless, there is no need to describe in detail every single processing operation, especially where this does not involve significant risk. Otherwise, the register will become too extensive and difficult to maintain, which may lead to unnecessary administrative complications.

The register should be a tool enabling effective management and control of processing operations, and not an administrative burden. The key is to strike a balance between accuracy and clarity, so that the register is an effective document in ensuring compliance with personal data protection provisions, while at the same time being easy to maintain and update.