Record of processing activities - Tutoria

In order to help with the maintenance of the records, CNIL proposes a template of a simplified record of processi
needs in terms of data processing, in particular the ones concerning small businness.

This document aims to identify the personal data processing operations carried out in your organisation as a cont
updated, it will allow you to meet the requirement to maintain a record of processing as set out in the GDPR.

Your record will be consist of a processing list (tab 2) and, at least, of one record form (tab 3).

► For more information on records of processing, you can consult the dedicated page on the CNIL website.

► Once you have completed the inventory of your processing activities, you will be able to identify the actions to be taken

Do you need help with the GDPR?

► Feel free to consult the Practical Guide to GDPR Awareness,available on the CNIL website (in French)

In some cases, comments will be provided to help you complete your record (red triangle in the cell).

Document composition

► Tab 2 "Processing list"

This tab allows you to list all the activities of your organization that require the processing of personal data. With
your data processing.

► Tab 3 "Template of a record of processing form"

You must create and maintain one record of processing form per operation. Replicate and complete this template
This
► Tabsection provides of
4 "Example an a
example
completedof howrecord
to shape
ofand edit a record
processing of processing form. This example, however, is
form"
should not to be repeated as it is, but to be adapted according to your processing.
et the most common

and regularly

pliant with the GDPR.

ave a first overview of

necessary.
us processing and
 Last name: Name: Address : Email address:
Contact details of the
responsible for the organisation
(controller itself or its
representative if the controller is
located outside the EU) Zip code: Town: Phone number:

Contact details of the Last name: Name: Address : Email address:

representative
(controller itself or its
representative if the controller is
located outside the EU) Zip code: Town: Phone number:

Organisation (if
Last name: Name: Address :
external DPO)
Contact details of the Data
Protection Officer (DPO)
Zip code: Town: Phone number: Email address:

Processing details Purpose of the data processing Special categories of pers

Date of
Last update of
Name of the processing creation of
N° / REF the record Yes/No
operation the record
form
form
Payroll management, Calculation of remuneration,
Calculation of the amount of payments sent to social
(EXAMPLE) Payroll Management 1-Example May 25, 2018 May 13, 2018 No
security institutions.
egories of personal data?

Yes/No

No
Template of a record of processing form
This tab is a template of an operational form to be reproduced, adapted and completed according to your activity for each processing oper
your record form (red triangle in the cell).

Description of the processing operation

Name of the processing operation

N° / REF

Data of creation of the processing

Update of the processing

Stakeholders Name Address ZIP Code

Controller

Data protection officer

DPO's Organisation (if external DPO)

Representative

Joint controller(s)

Purpose(s) of the data processing

Main purpose

Sub-purpose 1

Sub-purpose 2

Sub-purpose 3

Sub-purpose 4

Page 7 de
 Sub-purpose 5

Categories of personal data Description

Marital status, ID, identification data, images...

Personal life (lifestyle, family situation, etc.)
Economic and financial information (income, financial
situation, tax situation, etc.)

Connection data (IP address, logs, etc.)

Location data (movements, GPS data, GSM, etc.)

Social Security Number (or NIR)

Page 8 de
 Special categories of personal data Description

Data revealing racial or ethnic origin

Data revealing political opinions

Data revealing religious or philosophical beliefs

Data revealing trade union membership

Genetic data
Biometric data for the purpose of uniquely identifying a
natural person
Data concerning health
Data concerning a natural person's sex life or sexual
orientation
Data relating to criminal convictions and offences

Categories of data subjects Description

Category 1 Select an item from the list ►

Category 2

Recipients Type of recipient

Recipient 1 Select an item from the list ►

Recipient 2

Recipient 3

Recipient 4

Security measures Type of security measure

Page 9 de
 Security measure 1 Select an item from the list ►

Security measure 2

Security measure 3

Transfers to third countries or

Recipient Country Type of guaran
international organisations

Recipient organisation 1 Select an item from the list ► Select an item from the

Recipient organisation 2

Recipient organisation 3

Recipient organisation 4

Page 10 de
ng operation. In some cases, comments will be provided to help you complete

Town Country Phone number

Page 11 de
Data retention period

Page 12 de
Data retention period

Details

Details

Details

Page 13 de
f guarantees Links to relevant documents

rom the list ►

Page 14 de
to help you complete

Email address

Page 15 de
Page 16 de
Page 17 de
cuments

Page 18 de
Example of a completed record of processing
form
This example is based on a fictitious processing and should not to be repeated as it is, but to be adapted according to your processing (cf. t

Description of the processing operation

Name of the processing operation Payroll management

N° / REF 1 - Example

Data of creation of the processing May 26, 2018

Update of the processing May 13, 2019

Stakeholders Name Address ZIP Code

Controller Louise DUPONT 1 rue Rivoli 75001

Data protection officer Martin HENRI 1 rue Rivoli 75001

DPO's Organisation (if external DPO) N/A

Purpose(s) of the data processing

Main purpose Payroll management

Sub-purpose 1 Calculation of remuneration

Sub-purpose 2 Calculation of the amount of payments made to social security organisations

Sub-purpose 3 Transfer orders to the bank

Categories of personal data Description

Marital status, ID, identification data, images... Last names, names and addresses

Page 19 de
Economic and financial information (income, financial
Bank account details
situation, tax situation, etc.)

Social Security Number (or NIR) Social security numbers of the employees

Page 20 de
 Categories of data subjects Description

Catégorie de personnes 1 Employees

Recipients Type of recipient

Recipient 1 Internal department that processes the concerned data

Recipient 2 Institutional or commercial partners

Recipient 3 Recipients in third countries or international organisations

Security measures Type of security measure

Security measure 1 Software protection measures

Security measure 2 Data backup

Security measure 3 User access control

Transfers to third countries or

Recipient Country Type of guarante
international organisations
Recipient organisation 1 Bank of Andorra Andorra Standard contractual clau

Page 21 de
sing (cf. tab 3).

Town Country Phone number

Paris France 01 xx xx xx xx

Paris France 01 xx xx xx xx

isations

Data retention period

5 years from the payment of the salary

Page 22 de
5 years from the payment of the salary

5 years from the payment of the salary

Page 23 de
 Details

Details

Administrative and Financial Department

Social organisations
Bank of Andorra

Details

f guarantees Links to the related documents

actual clauses (SCC) Agreement dated January 23, 2011.

Page 24 de
1-Example

Email address

[email protected]

[email protected]

Page 25 de
Page 26 de
 documents

uary 23, 2011.

Page 27 de
Guarantees Country Zone

Select an item from the list ► Select an item from the list ►
Standard contractual clauses (SCC) Andorra adéquat
Binding corporate rules (BCR) Argentina adéquat

Country providing an adequate level of protection Canada adéquat

Privacy Shield United States adéquat
Code of conduct Guernesey adéquat
Certification Isle of Man adéquat
Derogations (Article 49) Faroe Islands adéquat
Israel adéquat
Jersey adéquat
New Zealand adéquat
Switzerland adéquat
Uruguay adéquat
Afghanistan Non adéquat
Albania Non adéquat
Algeria Non adéquat
Angola Non adéquat
Antigua & Barbuda Non adéquat
Armenia Non adéquat
Australia Non adéquat
Azerbaijan Non adéquat
Bahamas, The Non adéquat
Bahrain Non adéquat
Bangladesh Non adéquat
Barbados Non adéquat
Belarus Non adéquat
Belize Non adéquat
Benin Non adéquat
Bermuda Non adéquat
Bhutan Non adéquat
Bolivia Non adéquat
Bosnia & Herzegovina Non adéquat
Botswana Non adéquat
Brazil Non adéquat
Brunei Non adéquat
Burkina Faso Non adéquat
Burma Non adéquat
Burundi Non adéquat
Cambodia Non adéquat
Cameroon Non adéquat
Cape Verde Non adéquat
Central African Rep. Non adéquat
Chad Non adéquat
Chile Non adéquat
China Non adéquat
Colombia Non adéquat
Comoros Non adéquat
Congo, Dem. Rep. Non adéquat
Congo, Repub. of the Non adéquat
Costa Rica Non adéquat
Cote d'Ivoire Non adéquat
Cuba Non adéquat
Djibouti Non adéquat
Dominica Non adéquat
Dominican Republic Non adéquat
East Timor Non adéquat
Ecuador Non adéquat
Egypt Non adéquat
Equatorial Guinea Non adéquat
Eritrea Non adéquat
Ethiopia Non adéquat
Fiji Non adéquat
Gabon Non adéquat
Gambia, The Non adéquat
Georgia Non adéquat
Ghana Non adéquat
Gibraltar Non adéquat
Grenada Non adéquat
Groenland Non adéquat
Guatemala Non adéquat
Guinea Non adéquat
Guinea-Bissau Non adéquat
Guyana Non adéquat
Haiti Non adéquat
Honduras Non adéquat
Hong Kong Non adéquat
India Non adéquat
Indonesia Non adéquat
Iran Non adéquat
Iraq Non adéquat
Jamaica Non adéquat
Japan Non adéquat
Jordan Non adéquat
Kazakhstan Non adéquat
Kenya Non adéquat
Kiribati Non adéquat
Korea, North Non adéquat
Korea, South Non adéquat
Kosovo Non adéquat
Kuwait Non adéquat
Kyrgyzstan Non adéquat
Laos Non adéquat
Lebanon Non adéquat
Lesotho Non adéquat
Liberia Non adéquat
Libya Non adéquat
Macedonia Non adéquat
Madagascar Non adéquat
Malawi Non adéquat
Malaysia Non adéquat
Maldives Non adéquat
Mali Non adéquat
Marshall Islands Non adéquat
Mauritania Non adéquat
Mauritius Non adéquat
Mexico Non adéquat
Micronesia, Fed. St. Non adéquat
Moldova Non adéquat
Monaco Non adéquat
Mongolia Non adéquat
Montenegro Non adéquat
Morocco Non adéquat
Mozambique Non adéquat
Namibia Non adéquat
Nauru Non adéquat
Nepal Non adéquat
Nicaragua Non adéquat
Niger Non adéquat
Nigeria Non adéquat
Oman Non adéquat
Pakistan Non adéquat
Palau Non adéquat
Palestine, State of Non adéquat
Panama Non adéquat
Papua New Guinea Non adéquat
Paraguay Non adéquat
Peru Non adéquat
Philippines Non adéquat
Puerto Rico Non adéquat
Qatar Non adéquat
Russia Non adéquat
Rwanda Non adéquat
Saint Kitts & Nevis Non adéquat
Saint Lucia Non adéquat
Saint Vincent and the Grenadines Non adéquat
Salomon Islands Non adéquat
Salvador Non adéquat
Samoa Non adéquat
San Marino Non adéquat
Sao Tome & Principe Non adéquat
Saudi Arabia Non adéquat
Senegal Non adéquat
Serbia Non adéquat
Seychelles Non adéquat
Sierra Leone Non adéquat
Singapore Non adéquat
Somalia Non adéquat
South Africa Non adéquat
South Sudan Non adéquat
Sri Lanka Non adéquat
Sudan Non adéquat
Suriname Non adéquat
Swaziland Non adéquat
Syria Non adéquat
Taiwan Non adéquat
Tajikistan Non adéquat
Tanzania Non adéquat
Thailand Non adéquat
Togo Non adéquat
Tonga Non adéquat
Trinidad & Tobago Non adéquat
Tunisia Non adéquat
Turkey Non adéquat
Turkmenistan Non adéquat
Tuvalu Non adéquat
Uganda Non adéquat
Ukraine Non adéquat
United Arab Emirates Non adéquat
Uzbekistan Non adéquat
Vanuatu Non adéquat
Venezuela Non adéquat
Vietnam Non adéquat
Western Sahara Non adéquat
Yemen Non adéquat
Zambia Non adéquat
Zimbabwe Non adéquat
Categories Recipients
Select an item from the
list ► Select an item from the list ►
Employees Internal department that processes the concerned data
Internal services Processors
Recipients in third countries or international
Customers organisations
Suppliers Institutional or commercial partners
Service providers Other (specify)
Potential customers
Applicants
Other (specify)
 Security measures
Select an item from the list ►
he concerned data Traceability measures
Software protection measures

Data backup
Data encryption
User access control
Control of processors
Other measures (specify)