Dutch Data Protection Authority's recommendations for records of processing activities
The Dutch Data Protection Authority (DPA) recently published five recommendations for records of processing activities (only available in Dutch). In accordance with European privacy legislation, organisations must (usually) keep records of their processing activities. The DPA issued its recommendations following an exploratory study of thirty large organisations, in which they assessed the quality of the processing records.
Indefinite storage of personal data without justification is not compliant with European privacy legislation. For this reason, the DPA recommends, amongst other things, that organisations state in their processing records how long they intend to store personal data.
The DPA calls its recommendations "concrete". However, it could also be argued that they "state the obvious" and "raise more questions than they answer".
Please read more on this topic in our newsletter.