The AVG requires the upkeep of register of the processing of personal data (“overview of data flows” or “data folder”).
Is every organization obliged to keep a register of processing of personal data?
Yes, almost every organization is obliged to retain a register of the processing of personal data (“overview of data flows” or “data folder”).
The AVG privacy legislation states that you are obligated to keep a register of processing of personal data but, it does not apply to companies with less than 250 employees. But it also says: unless the use of the personal data is “not secondary” (ie: structural). On the basis of this provision, every organization that uses personal data on a structural basis is obliged to keep an overview.
Almost every organization will process personal data structurally. Because it uses business e-mail or collects IP addresses via a website or uses camera surveillance, for example. The obligation to keep an overview will therefore apply to most organizations, whether they have more or less than 250 employees.
However, even if an organization processes personal data very seldom, the overview will be necessary if it concerns special personal data or the processing entails a risk for the people, for example because it concerns a vulnerable group of people.
Which organizations are not obliged to keep a register of the processing of personal data?
If only very sporadic personal data is processed and the processing does not involve special personal data or entails processing for persons, for example because it is a vulnerable group of people, then an organization does not need a register (“overview” or “data folder”) to keep track of.
