Register of Treatment Activities
Register of Treatment Activities
The Register of Processing Activities, also known by the acronym RAT, is one of the obligations that any company or professional(Data Controller or Controller) must prepare in order to comply with Article 30 of the General Regulation on the Protection of Personal Data(RGPD) and Article 31 of the Organic Law on the Protection of Personal Data(LOPD-GDD).
What is a Treatment Activity?
Let’s start with the basics; a processing activity refers to the processing of personal data by a Controller in the performance of its business, which can be grouped by structured data sets:
— Customers
— Employees
— Job Applicants
— Suppliers
— Etc.
And also by type or criticality for a better analysis of the treatment activity:
— Video surveillance
— Biometrics
— E-Commerce
— Etc.
What does the Treatment Activities Registry consist of?
Once the personal data processed by a Data Controller has been identified, an analysis of such data shall be carried out, which shall include the following:
— Purposes of the treatment
— The categories of data subjects and personal data
— The categories of recipients to whom the data will be transferred and details of the countries where such personal data will be transferred, including their guarantees.
— Deadlines for the deletion of the different categories of data
— Description of the technical and organizational security measures applied to personal data
— Name and contact details of the data processors (suppliers processing data of the Controller) and of the data protection officer(DPO) if one has been appointed.
How should the ARP be presented?
The Register of Processing Activities shall be in writing and in electronic format.
The Register of Processing Activities must be made available to the supervisory authority (AEPD or regional authorities) upon request.
Those Responsible listed in article 77.1 of LOPD-GDD, must make public their Register of Activities making them accessible by electronic means.
The importance of the Data Protection Officer
If the Controller has appointed a Data Protection Delegate (DPD)The Data Protection Officer must inform him/her at all times about any alteration in its content.
We remind you that one of the tasks of the DPD is to provide the necessary advice, such as the need for any of the updated or new processing activities to require the preparation of an Impact Assessment (EIPD).
Hire a Data Protection Officer
If you hire a Data Protection Officer, he or she will draw up your record of processing activities, carry out the impact assessment, perform the corresponding audits, and train your employees.
For less than you think, Business Adapter® will be your Data Protection Officer.