February 17, 2020

February 14, 2020

Subscribe to Latest Legal News and Analysis

CNIL Issues Record-Keeping Guidance

Under GDPR, companies are required to keep certain records of their processing activities. There has been some question about the types of records controllers should keep. To help clarify the questions arising from many companies, CNIL issued guidance recently about how to fulfill record keeping obligations. The guidance includes an RPA template for controllers, and outlines contents to include for both controllers and processors. This includes keeping track of why information was collected, the categories of personal information, recipients of personal information, and any out-of-country transfers. Companies should also include how long information will be kept. For processors, records should be kept “for each type of activity operated in place of customers” with many of the same details. The CNIL recommends gathering information, making a list of processing activities, clarifying any questions and then creating the record. CNIL notes that this record should be updated “frequently” with an eye towards the activities and type of information. While the document is internal, companies should keep in mind that it will need to be provided to the CNIL if requested.

Putting it Into Practice: The recent CNIL guidance provides helpful insight on how to maintain records in accordance with GDPR requirements. Other resources include information from the UK ICO.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.

TRENDING LEGAL ANALYSIS


About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Sylvie Rousseau, Sheppard, Attorney
Attorney

Sylvie Rousseau is Head of the EU Data Protection Team in the firm's Brussels office. 

Sylvie Rousseau has more than 15 years of data protection and privacy experience across the EU, including in compliance audits, data transfer strategies, data breach cases, e-discovery procedures, privacy policies, employees monitoring guidelines, whistleblowing hotlines, clinical trials, notifications to national regulators, binding corporate rules approval and GDPR compliance projects.

32-2-290-7900
Associate

Rebecca Mackin is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

312-499-6328