The Record of Processing Activities

Philipp Rosenauer
Partner Legal, PwC Switzerland

With the revised Swiss Federal Act on Data Protection (revFADP) comes the obligation to create a Record of Processing Activities. In essence, this is an inventory that documents all data flows and their purpose for processing. This is intended to provide a general overview of data processing. The obligation to keep a Record of Processing Activities applies to most companies. There is an exemption for low-risk processing of personal data by organisations with less than 250 employees.

What must be included in a Record of Processing Activities?

According to the revFADP, the record must contain the following information:

the controller’s identity;
the purpose of the processing;
a description of the categories of data subjects and the categories of the processed personal data;
the categories of the recipients;
the period of storage of the personal data or the criteria to determine the period of storage;
a general description of the measures to guarantee data security;
in case of disclosure of data abroad, the names of the countries in question and the safeguards.

The benefits of a Record of Processing Activities

If requested, the Record of Processing Activities must be made available to the Federal Data Protection and Information Commissioner (FDPIC).

Even if the initial establishment might be a time-consuming task, it can help you identify redundant processing activities. You can pinpoint where unnecessary personal data is collected and thus know what might create data security risks. It also supports the rights of data subjects, e.g. when a request for access comes in. With the record, you have a solid general overview of where data is processed and with what purpose.

Can I reuse Records of Processing Activities that are already in use?

The creation of the record itself is relatively easy thanks to numerous templates that are available online, e.g. from supervisory authorities. By law, no particular form is required. Neither the GDPR nor the revFADP contain specific requirements concerning the format. The records must be machine-readable and therefore be maintained in Word, Excel or comparable software.

If your company has already done its homework in previous years and you have a Record of Processing Activities in use for the GDPR, you can reuse the systematics. Consider amending minor additions, such as the list of countries where the data is transferred to, as well as the legal basis and the safeguards that they are based on. If there are any other applicable exceptions to them, you should list them.

Consider updating the Record of Processing Activities frequently. Whenever there is a new processing activity or a change in processing activities, those changes must be reflected. The record should be reviewed on a regular basis – it is a “living” document.