Under the new data protection regulation (GDPR), both data controllers and data processors must maintain a record of their processing activities if certain conditions are met (article 30 of the GDPR).
However, the content of the register of the processing activities is different depending on whether they act as a data controller or a data processor.
1. When is it necessary to maintain a record of processing activities?
Controllers or processors must maintain a record of their processing activities when they meet one of the following conditions:
- They employ more than 250 employees
- They carry out processing activities that is likely to result in high risk for rights and freedom of the individuals
- Their processing activities is not occasional
- Their processing activities consist of processing sensitive data (e.g. health data etc.) or data relating to criminal convictions
If one of the aforementioned conditions is met, the person processing personal data must maintain a record of its processing activities.
2. Content of the register
The content of the register varies depending on whether it is a data controller or data processor.
2.1. Data Controller’s Register
Each controller must maintain a record of processing activities under its responsibility and it should contain the following information:
- Name and contact details of the controller, joint controller, controller’s representative and the data protection officer
- The purposes of processing
- Description of the categories of data subjects and of the categories of personal data
- The categories of recipients of the personal data
- Transfer of personal data to third country or international organization and documentation of suitable safeguards
- Data retention period of each category of data
- General description of the security measures implemented
2.2. Data Processor’s Register
Processors have equivalent obligation under the GDPR and must also hold a record of the activities carried out on behalf of the controller.
The record should include the following information:
- Contact details of the processor and of each controller, their respective representative and data protection officer
- Categories of processing carried out on behalf of each controller
- Transfer of personal data to their countries or international organisations and documentation of suitable safeguards
- Description of security measures implemented
This post is also available in fr_FR.