Under the European general data protection regulation (GDPR), both controllers and processors of personal data must maintain a record of their processing activities unless they are exempted (article 30 of the GDPR).
However, the information to be provided in such record varies depending on whether they act as a data controller or a data processor with regard to a specific processing activities.
1. When is it necessary to maintain a record of processing activities?
Controllers or processors must maintain a record of their processing activities if they meet at least one of the following conditions:
- They employ more than 250 employees;
- They carry out processing activities that are likely to result in high risk for rights and freedom of the individuals;
- Their processing activities are not occasional;
- Their processing activities consist of processing sensitive data (e.g. health data etc.) or data relating to criminal convictions.
Given the applicable conditions, it is safer to say that most companies/organisations must maintain a record of processing.
2. Content of the record of processing activities
The content of the register varies depending on whether the company is acting as a controller or a processor with regard to the concerned processing activities.
2.1. Controller’s Record
Each controller must maintain a record of the processing activities under its responsibility that must contain the following information:
- Name and contact details of the controller, joint controller, controller’s representative and the data protection officer
- The purposes of processing
- Description of the categories of data subjects and of the categories of personal data
- The categories of recipients of the personal data
- Transfer of personal data to third countries or international organization(s) and documentation of suitable safeguards
- Data retention period of each category of data (where possible)
- General description of the security measures implemented (where possible)
2.2. Processor’s Record
Processors have an equivalent obligation under the GDPR and must also hold a record of the processing activities they carry out on behalf of the controller.
The record must include the following information:
- Contact details of the processor and of each controller, their respective representative and data protection officer;
- Categories of processing carried out on behalf of each controller;
- Transfer(s) of personal data to their countries or international organisations and documentation of suitable safeguards;
- Description of security measures implemented (where possible).