Belgian DPA Registry of Processing Activities Template 20170907 en
Belgian DPA Registry of Processing Activities Template 20170907 en
Belgian DPA Registry of Processing Activities Template 20170907 en
Abbreviation:
Alias:
Dutch/French Name:
Address:
Statute:
KBO/BCE Number:
General Phone Number:
General E-Mail Address:
Website:
A list with types (indicative list of purpose types) with some A list of possible legal bases for processing, as mentioned in Mention the types that are relevant to the processing
standard purposes has been included on the Lists tab. GDPR Article 6, is provided in the Lists tab. activity (see the list ‘Processing Types’ in the Lists tab).
Enter ‘Normal’ if the type is not one listed under
Note: This list does not cover all situations. For instance, Clarify, if necessary (e.g. reference the statute, if the legal ‘Processing Types’ (see the Lists tab).
the DPA could decide that more precise information is basis is statutory).
required for a specified processing activity.
Data and Data Subjects Used Functional Data Category GDPR Data Category*
Details about the data being processed and the data Enter the functional data categories. Indicate whether data categories will be processed that
subjects whose data are being processed. require special attention.
An indicative list with standard purposes (‘Indicative List of
functional category, sensitive category of data processing, Functional Data Categories’) is included on the Lists tab. Choose ‘Yes’ if one of the data categories listed under ‘GDPR
data subject category, classification level, retention period, Data Categories’ (see Lists tab) is involved.
original source Note: This list does not cover all situations. For instance, Choose ‘No’ if none of the data categories listed under ‘GDPR
the DPA could decide that more precise information is Data Categories’ (see Lists tab) are involved.
required for a specified processing activity.
Data Subject Categories Vulnerable Data Subject Category Classification Level
Indicate the data subject categories. Indicate whether the data subjects are considered a Indicate the classification level of the processing activity
vulnerable category according to the organization's classification system (choose
the highest in case multiple are involved). See the
Choose ‘Yes’ if the data subjects involved are in a situation document [XX] for more information.
in which there is a lack of parity in the relationship between
the data subject and the controller, such as children, Replace [XX] with the name of the document describing the
employees, patients, etc. internal classification process.
Note: This list does not cover all situations. For instance,
the DPA could decide that more precise information is
required for a specified processing activity.
Third Country/International Organization Nature of Transfer to Third Country/International
Documents
Organization
for Appropriate Safeguards
Where appropriate, indicate the third Where appropriate, indicate the nature of the transfer to In case of data transfer to a third country/international
countries/international organizations involved in the data third countries/international organizations. organization & transfer based on GDPR Article 49(2), list the
transfer. documents that clarify the appropriate safeguards and
A list of possibilities is available on the Lists tab. where these documents are stored.
Definition of a ‘third country:’ all countries outside of the
European Union (EU) and the European Economic Area
(EEA).
Personnel management
Task management
Workplace monitoring
Customer management
Donation collection
Public relations
Business intelligence
Registration and administration of shareholders or partners
Member management
Security
Dispute management
Protection of society, the industry, or the organization
Government Purposes
Taxes
Subsidies
Permits
Elections
Immigration administration
Land registry
Government records
Education
Student administration
Student counseling
Medical coding
Patient records
Registering risk groups
Organ donor registration
Scientific research
Market research
Historical research
Genealogy
Statistical research
Banking and Financial Services, Insurance
Account management
Wealth management
Corporate finance
Lending
Credit management
Brokerage services
Trade
Direct marketing
Other Purpose
Other purpose
Basis for Processing
Basis for Processing
Data subject consent
Task carried out in the public interest or in the exercise of official authority
Financial assistance
Insurance policy details
Financial transactions
Compensation
Professional activities
Permits
Personal characteristics
Personal details
Military details
Immigrant status
Physical details
Physical description
Private habits
Habits
Lifestyle
Travel and movement details
Social contacts
Possessions
Public mandates
Distinctions
Media use
Psychological details
Psychological descriptions
Composition of the family
Marriage or current form of cohabitation
Marital history
Consumption habits
Rental data
Lending data
Residence data
Residence data
Health data
Physical health data
Publications
Profession and employment
Current employment
Recruitment
Work termination
Career
Absenteeism and discipline
Occupational medicine
Wages
Security
Use of technology
Social Security Number
Social Security Number
Racial or ethnic data
Racial or ethnic data
Data about the sex life
Data about the sex life
Political opinions
Political tendency
Political affiliation
Membership in an interest group or militant organization
Membership in a trade union
Membership in a trade union
Philosophical or religious beliefs
Philosophical beliefs
Video recordings
Images
Surveillance images
Sound recordings
Sound recordings
Type of Processing
Enter ‘Normal’ if none of the types listed below apply.
Evaluation or review of people, including profiling and making prognoses
Automated decisions with legal consequences or similar substantial
consequences
Systematic monitoring (tracking, monitoring, or checking on the data
subject) (sound, photo, or video recordings)
Large-scale processing activities or processing activities with consequences
for a large number of stakeholders
Combining or merging of data collections that data subjects cannot
reasonably expect
Data processing that prevents data subjects from exercising a right, using a
service, or concluding a contract
Use of new technologies or application of technical and organizational
means
Systematic monitoring of a publicly accessible area on a large scale
GDPR Data Category
Special categories of personal data (GDPR Article 9)
Please note: in principle the processing of these are prohibited
Genetic data for the purpose of uniquely identifying a person
Biometric data for the purpose of uniquely identifying a person
Health data
Data revealing racial or ethnic origin
Data revealing political opinions
Data revealing religious or philosophical beliefs
Data revealing trade union membership
Data related to someone’s sex life or sexual orientation
Processing of personal data relating to criminal convictions and offenses (GDPR Article 10)
Personal data protected by professional secrecy
Data that are generally considered to entail an elevation of the possible risk for the rights
and freedoms of natural persons
Electronic communication data
Location data
Financial data
Information processed by a natural person in the context of purely personal or household
activities the publication or processing of which for any other purposes than household
activities may be considered as very intrusive
Explanation
Recruitment and selection of employees and intermediaries (brokers, independent representatives, etc.).
Payroll administration, remunerations, commissions, and wages. Application of social legislation.
Evaluation and management of employees and intermediaries. Planning of training and career.
Planning and management of tasks, work loads and performance.
Monitoring the professional activities in the workplace via CCTV or IT systems, such as monitoring of
email, Internet usage, telephones, etc.
Customer administration, management of orders, deliveries, invoicing of material and immaterial
services. Solvency monitoring. Personalized marketing and advertising. Registering customers of a
business and profiling them based on purchases.
Intended are activities to prevent and detect such acts.
Management of claims, including repayment of monies owed.
Vendor administration. Management of orders received and payment of vendors. Prospecting possible
vendors and their evaluation.
Donor administration for a club. Prospecting new donors.
This includes creating goodwill for the organization.
Analyzing competitors and potential partners.
Maintaining a registry of shareholders or partners. The administration of their financial and other
benefits.
The administration of members, volunteers and sympathizers of a club.
Data processing to ensure the safety of people or goods. Note: In principle, security cameras are subject
to the law of March 21, 2007 regarding the placement and use of security cameras (the ‘Camera Law’)
and may not be reported by means of this form. Please use the customized thematic form. More
information in this regard can be found at www.privacycommission.be (Caméras de surveillance et notre
vie privée / Bewakingscamera’s en onze privacy).
The management by natural persons, private bodies or public authorities of their own disputes.
Processing of data regarding persons that represent a certain risk, such as hooligans.
Levying taxes and the activities related to it: registering tax payers as well as calculating, collecting, and
tracking taxes.
Granting subsidies and the related activities: researching eligible recipients as well as calculating, paying,
and tracking subsidies.
Granting permits and the related activities: researching eligible recipients and tracking the requirements.
Processing activities performed by local government, such as processing related to population registers,
personal IDs, civil registry records, etc.
Maintaining voter rolls and organizing elections.
Maintaining an immigrant registry and tracking residence permits.
Creating and updating a registry of properties, levying property taxes and providing tax certificates.
Management of the correspondence between the government service and the people who have
voluntarily communicated with the service. Managing the data of people with whom the government
service is not in a profitable relationship.
Collecting and tracking information about people deemed to be a risk to public safety.
Detecting and tracking people suspected of crimes.
Preventing violations of and supervising compliance with laws and regulations.
Maintaining rolls and registers.
Registering criminal convictions.
Management of criminal cases and interests by lawyers or other legal counselors in the interests of their
clients.
Creating a student database, organizing the curriculum and the exams, registering results and decisions.
Calculating, invoicing and collecting of monies owed. Relations with alumni.
Providing guidance counseling to students regarding their intellectual development, their psychological
problems, and selecting career paths.
Collecting contributions, determining and awarding government benefits, including welfare assistance.
The diagnosis and paramedical treatment of patient, including the evaluation of the provided and yet to
be provided care for the purpose of improving the quality of care offered to patients.
Tracking of in-patient care and treatment for the purpose of invoicing.
Registering medical and in-patient information for management purposes.
Identifying and monitoring persons with elevated medical risks.
Creating databases of people willing to be organ donors as well as the promotion and use of such a
database.
Data processing related to the prescription and delivery of medication.
consistent with the original collection purpose
Research into the spreading of medical risk, morbidity, and mortality.
Research into the causes of medical pathology and the effect of medical treatments. Clinical trials.
Collection and processing of all data related to medical and paramedical diagnostics as well as
therapeutic practices provided to patients for the purpose of improving the quality of care practices.
Any act intended to determine paradigmatical, behavioral, and causal connections that are greater than
the individuals to which they are related. Aimed at describing global phenomena.
Studies related to the buying behavior, preferences and purchase intentions of people for the purpose of
determining market strategies.
Processing of personal data from private or public archives for the purpose of analyzing a historical event
or enabling such an analysis.
Processing of personal data for the purpose of constructing a family tree or genealogical tree, family
register or family list, etc.
Any act intended to collect and process personal data necessary for statistical questionnaires or for
delivering a statistical result (e.g. general announcement, help in planning and decision-making and in
the service of science).
The management of individual debit and savings accounts, whether or not a credit balance is present,
belonging to customers of the financial institution. These activities include the payment transactions
related to the account.
This refers to the totality of actions performed by a bank, whether or not in a discretionary manner, in
counseling customers in the management of their estate.
Providing services related to the distribution of capital, selling of shares, takeovers, and mergers.
This refers to the totality of actions related to the estimation of risks incurred by a bank when granting
credit, regardless of the nature of the credit.
This refers to the actions related to the monitoring and repayment of credit balances, including claims
and the actions related to those claims, regardless whether a third party is involved.
The integration of all or part of processed data in the context of one of the finalities that are specific to
the banking industry. This is for the purpose of coming to a conclusion of the overall profitability of
customers and whether or not banking products or services customized to their needs shall be offered
and to help the banking institution, in a general sense, to take the necessary decisions with regard to its
customers.
The mediation between customers and financial institutions specializing in insurance, credit, stock
exchange products, etc.
Insuring persons against uncertainties that damage the physical integrity or the family circumstances of
persons. Risk analysis, management of policies, premiums and compensation. Reinsurance and dispute
management.
The group variant of personal insurance.
Insuring customers against damage to goods and possessions or against their liability for damage caused
to third parties. Risk analysis, management of policies, premiums and compensation. Reinsurance and
dispute management.
Insuring employers against damage incurred by employees during work-related accidents. Risk analysis,
management of policies, premiums and compensation. Reinsurance and dispute management.
Preventive research.
Processing of data across various branches of insurance regarding persons with an elevated risk for the
purpose of avoiding unacceptable risks and fraud.
Canvassing, activities and services offered to population segments by commercial companies, charities,
or other clubs or foundations, including those of a political nature. The means of communication for
these actions can be mail, telephone or other direct means (e.g. email).
It is of no importance whether the addressee is already a customer or not.
Sale after data processing, published by official sources (such as the Moniteur Belge/Belgisch Staatsblad),
in combination with data acquired from other institutions.
Explanation
The data subject has given consent to the processing of his or her personal data for one or more specific
purposes (GDPR Article 6(1)(a)).
Note that the consent must meet the requirements as determined by GDPR Article 7.
The processing is necessary for the performance of a contract to which the data subject is party or in
order to take steps at the request of the data subject prior to entering into a contract (GDPR Article 6(1)
(b)).
The processing is necessary for compliance with a legal obligation to which the controller is subject
(GDPR Article 6(1)(c)).
The processing is necessary in order to protect the vital interests of the data subject or of another natural
person (GDPR Article 6(1)(d)).
The processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller (GDPR Article 6(1)(e)).
The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a
third party, except where such interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal data, in particular where the data
subject is a child (GDPR Article 6(1)(f)).
Explanation
Name, title, address (work and home), former addresses, telephone number (work and home), IDs
assigned by the controller.
ID card number, passport number, drivers license number, license plate number, etc.
IP addresses, cookies, connection moments, etc.
Cell tower data, GPS data, etc.
DNA data, finger and voice prints, iris scans, facial recognition, finger or hand shape recognition, dynamic
signatures, etc.
ID numbers, bank account numbers, credit or debit card numbers, secret codes.
Income, possessions, investments, total income, professional income, savings, start and end dates of
investments, investment income, debts owed on assets.
Total expenditures, rent, loans, mortgages and other forms of credit.
Evaluation of the income, of the financial statute, of solvency.
Nature of the loan, the amount borrowed, remaining balance, start date, loan period, interest rate,
payment overview, details regarding the guarantees.
Benefits, assistance, gifts, subsidies.
Nature of the insurance policy, details regarding the covered risks, insured amounts, insured period,
termination date, payments made, received, or missed, status of the agreement.
Effective date of the pension plan, nature of the plan, termination date of the plan, received and made
payments, options, beneficiaries.
Amounts paid and payable by the data subject, awarded credit lines, sureties, payment method, payment
overview, deposits and other guarantees.
Details regarding claimed compensations, paid amounts or other types of compensation.
Professional activities performed by the data subject: nature of the activity, nature of the goods or
services used or delivered by the person in the record, business relations.
Details regarding settlements or trade agreements, agreements regarding representation or legal
agreements, details regarding agents.
Permits held by data subjects.
Name of the spouse or partner, maiden name of the spouse or partner, wedding date, date of the
cohabitation contract, number of children, etc.
Details regarding previous marriages or partnerships, divorces, separations, names of previous partners.
Children, dependents, other members of the household, other close blood relatives, parents and
descendants.
Suspicions of violations, conspiratorial connections with known criminals. Inquests or judicial actions
(civil or criminal) undertaken by or against the data subject.
Convictions and sentences.
Guardianship, temporary administratorship, internment, placement.
Administrative penalties:
* purely disciplinary in nature;
* those that can be imposed on people who are not in public service but cooperate with them
(physicians, pharmacists, paramedics, contractors of public works);
* those that can be imposed on people using public services;
* those that can be imposed for failure to comply with statutory or regulatory measures, e.g. littering on
the public road.
DNA data processed in the context of the law dated March 22, 1999 related to identification procedures
through DNA analysis in criminal proceedings.
Details regarding the goods and services provided, loaned, or rented to the data subject.
Details regarding the goods and services provided, loaned, or rented by the data subject.
Address of the residence: nature of the residence, owned or rented property, duration of the residency
at that address, rent, costs, classification of the residence, details regarding valuation, names of people
who are in possession of keys.
Medical file, medical report, diagnostic information, treatment, results of analysis, handicap or infirmity,
diet; other special demands related to the health when managing a trip or a residence.
Medical file, medical report, diagnostic information, treatment, results of analysis.
Risk situations and risk behavior.
Genetic data related to population studies, genetic research, etc.
Data related to the means and procedures used during a medical and paramedical treatment.
Overview of schools, institutions, colleges, and universities attended, nature of the completed courses,
diplomas or certificates pursued, exam results, other diplomas awarded, evaluation of study progress.
Enrollment fees and paid costs, funding, payment methods, payment records.
Certificates and professional trainings, special licenses (engineer’s license, etc.).
Professional interests, research interests, academic interests, specializations, teaching experience,
consultations.
Details regarding the groups, committees or commissions involved, functions held, special interests, and
participation records.
Books, articles, reports, published audiovisual materials.
Employer, title and role description, seniority, recruitment date, work location, specialization or company
type, work modes and conditions, former positions and prior work experience at the same employer.
Recruitment date, recruitment method, recruitment source, references, details related to the
probationary period.
Termination date, reason, notice period, termination conditions.
Prior employment and employers, periods without employment, military service.
Absenteeism records, reasons for being in absentia, disciplinary measures.
Diminished work capacity resulting from a work accident, first-aid certification.
Payments and deductions, salary, commissions, bonuses, expenditures, grants, advantages, loans, tax
withholdings, FICA withholdings, union contributions, payment methods, date of most recent salary
increase.
Car, tools, spare parts, reference tools, other objects in possession of the employee.
Current responsibilities, projects, billable hours, hourly wage, hours worked.
Performance review, possibilities.
Details regarding the training required and received for the position as well as the qualifications and
authority obtained.
Passwords, security codes, levels at which permissions are granted.
Evaluation of the use of technology (Internet, email, etc.).