Skip to content Skip to footer
Search
PwC

Menu

Events

Loading Results

The Record of Processing Activities

Philipp Rosenauer
Head Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Claudia Jung
Data Privacy | ICT | Implementationᐩ, PwC Switzerland

With the revised Swiss Federal Act on Data Protection (revFADP) comes the obligation to create a Record of Processing Activities. In essence, this is an inventory that documents all data flows and their purpose for processing. This is intended to provide a general overview of data processing. The obligation to keep a Record of Processing Activities applies to most companies. There is an exemption for low-risk processing of personal data by organisations with less than 250 employees. 

What must be included in a Record of Processing Activities?

According to the revFADP, the record must contain the following information:

  • the controller’s identity;
  • the purpose of the processing;
  • a description of the categories of data subjects and the categories of the processed personal data;
  • the categories of the recipients;
  • the period of storage of the personal data or the criteria to determine the period of storage;
  • a general description of the measures to guarantee data security;
  • in case of disclosure of data abroad, the names of the countries in question and the safeguards.

The benefits of a Record of Processing Activities

If requested, the Record of Processing Activities must be made available to the Federal Data Protection and Information Commissioner (FDPIC).

Even if the initial establishment might be a time-consuming task, it can help you identify redundant processing activities. You can pinpoint where unnecessary personal data is collected and thus know what might create data security risks. It also supports the rights of data subjects, e.g. when a request for access comes in. With the record, you have a solid general overview of where data is processed and with what purpose.

Can I reuse Records of Processing Activities that are already in use?

The creation of the record itself is relatively easy thanks to numerous templates that are available online, e.g. from supervisory authorities. By law, no particular form is required. Neither the GDPR nor the revFADP contain specific requirements concerning the format. The records must be machine-readable and therefore be maintained in Word, Excel or comparable software.

If your company has already done its homework in previous years and you have a Record of Processing Activities in use for the GDPR, you can reuse the systematics. Consider amending minor additions, such as the list of countries where the data is transferred to, as well as the legal basis and the safeguards that they are based on. If there are any other applicable exceptions to them, you should list them.

Consider updating the Record of Processing Activities frequently. Whenever there is a new processing activity or a change in processing activities, those changes must be reflected. The record should be reviewed on a regular basis – it is a “living” document.

Do you have any questions?

https://pages.pwc.ch/core-contact-page?form_id=7014L000000kkHMQAY&embed=true&lang=en


#social#

Contact us

Dr. Günther Dobrauz

Dr. Günther Dobrauz

Partner and Leader Legal, PwC Switzerland

Tel: +41 58 792 14 97

Philipp Rosenauer

Philipp Rosenauer

Head Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Tel: +41 58 792 18 56

Claudia Liliane Jung

Claudia Liliane Jung

Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Tel: +41 58 792 4728

Adrien Tharin

Adrien Tharin

Co-Head of FinTech, Blockchain and Digital Assets, PwC Switzerland

Tel: +41 58 792 92 24

Lorena Rota

Lorena Rota

Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Tel: +41 58 792 2750

Anna Maria Tonikidou

Anna Maria Tonikidou

Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Tel: +41 58 792 46 89