FREQUENTLY ASKED QUESTIONS/Is keeping a register always obligatory?/

Security & compliance

Is keeping a register always obligatory ?

The obligation to keep a register is not imposed on companies with fewer than 250 employees, unless the processing they carry out is likely to entail a risk with regard to the rights and freedoms of the persons concerned, if it does not is not occasional or if it relates in particular to sensitive data, or to data relating to convictions and criminal offenses.

For example, concerning law firms, since their data on particular categories of data or data relating to convictions and criminal offenses, the latter will be required to set up a register of processing activities.

It is advisable, even for those who are not obliged, to keep a register because it contributes to the respect of the principle of accountability (consisting of documenting the conformity to be able to prove it). As such, it is strongly advised to ensure the maintenance of such a register, even if it is a small company. It is necessary at least to have a map of treatments, to respect all the principles referred to in the GDPR, to respect the rights of individuals and to document compliance with these various obligations.

Article 30 of the RGPD specifies the information that this register must contain (see FAQ concerning the obligations of the controller).