Under the European general data protection regulation (GDPR), both  controllers and processors of personal data must maintain a record of their processing activities unless they are exempted (article 30 of the GDPR).
However, the information to be provided in such record varies depending on whether they act as a data controller or a data processor with regard to a specific processing activities.
1. When is it necessary to maintain a record of processing activities?

Controllers or processors must maintain a record of their processing activities if they meet at least one of the following conditions:

  • They employ more than 250 employees;
  • They carry out processing activities that are likely to result in high risk for rights and freedom of the individuals;
  • Their processing activities are not occasional;
  • Their processing activities consist of processing sensitive data (e.g. health data etc.) or data relating to criminal convictions.

Given the applicable conditions, it is safer to say that most companies/organisations must maintain a record of processing.

2. Content of the record of processing activities

The content of the register varies depending on whether the company is acting as a controller or a processor with regard to the concerned processing activities.

2.1. Controller’s Record

Each controller must maintain a record of the processing activities under its responsibility that must contain the following information:

  • Name and contact details of the controller, joint controller, controller’s representative and the data protection officer
  • The purposes of processing
  • Description of the categories of data subjects and of the categories of personal data
  • The categories of recipients of the personal data
  • Transfer of personal data to third countries or international organization(s) and documentation of suitable safeguards
  • Data retention period of each category of data (where possible)
  • General description of the security measures implemented (where possible)
2.2. Processor’s Record

Processors have an equivalent obligation under the GDPR and must also hold a record of the processing activities they carry out on behalf of the controller.

The record must include the following information:

  • Contact details of the processor and of each controller, their respective representative and data protection officer;
  • Categories of processing carried out on behalf of each controller;
  • Transfer(s) of personal data to their countries or international organisations and documentation of suitable safeguards;
  • Description of security measures implemented (where possible).

Sharing options

Record of Processing Activities
Tagged on: