Under the European General Data Protection Regulation (GDPR), organisations processing personal data must maintain a record of their processing activities unless an exemption applies.
However, the type of information to provide in this record differ depending on whether they act as a controller or as a processor.
1. When is it necessary to maintain a record of processing activities?
Controllers or processors must maintain a record of their processing activities if they meet at least one of the following conditions:
- They employ more than 250 employees;
- They carry out processing activities that are likely to result in high risk for rights and freedoms of the individuals;
- Their processing activities are not occasional;
- Their processing activities consist of processing sensitive data (e.g. health data etc.) or data relating to criminal convictions.
Given the criteria set out above, most organisations satisfy, at least, one of these criteria. However, they should only record the processing activities satisfying, at least, one of them.
2. Content of the record of processing activities
The information to record differs depending on whether the company is acting as a controller or a processor.
2.1. Controller’s Record
Each controller’s record of their processing activities must contain the following information:
- Name and contact details of the controller, joint controller, controller’s representative and the data protection officer;
- The purposes of processing;
- Description of the categories of data subjects and of the categories of personal data;
- The categories of recipients of the personal data;
- Details of the transfer of personal data to third countries or international organization(s) and documentation of suitable safeguards;
- Data retention period of each category of data (where possible); and
- General description of the security measures implemented (where possible).
2.2. Processor’s Record
Processors’ record of processing activities must contain the following information:
- Contact details of the processor and each controller, their respective representative and data protection officer;
- Categories of the processing carried out on behalf of each controller;
- Details of the transfer(s) of personal data to third countries or international organisations and documentation of suitable safeguards;
- Description of security measures implemented (where possible).