The Act on the Right of Informational Self-Determination and on Freedom of Information stipulates that data processing based on the law must be reviewed every three years from the start of the Act in order to determine whether it is necessary for the achievement of the purpose of data processing (purpose limitation).
This regular review applies to data processing that is mandatory for the data controller, such as the processing of employee data.
The circumstances and results of the review must be documented in all cases, the documentation must be kept for 10 years and it must be made available at the request of the data protection authority.
Due to the above a regular review of data processing activities and related documentation is mandatory in every three years. As data processing activities are subject to rapid change, the related documentation and the data processing register must be continuously updated. This need for update is applicable for all data processing, i.e. not only for the activities that are based on legal requirement, so it is worth regularly reviewing all data processing activities, legal bases, purposes, retention periods, etc. (Although three years must be counted from the start of data processing, if the data controller has been processing the given personal data for e.g. seven years, then it must already have the documentation of at least two completed revisions.)
