Under the European General Data Protection Regulation (GDPR), organisations processing personal data must maintain a record of their processing activities (ROPA) unless an exemption applies.
However, the type of information to maintain in this record differs depending on whether the organisations act as a controller or as a processor with regard to a specific processing activity.
Besides, some of the processing activities recorded may also be subject to a data protection impact assessment (DPIA), which requires additional information (see here).
1. When is it necessary to maintain a record of processing activities?
Controllers or processors must maintain a record of their processing activities if they meet at least one of the following conditions:
- They employ more than 250 employees;
- They carry out processing activities that are likely to result in high risk for the rights and freedoms of the individuals;
- Their processing activities are not occasional;
- Their processing activities consist of processing sensitive data (e.g. health data etc.) or data relating to criminal convictions.
Given the criteria set out above, most organisations satisfy, at least, one of these criteria. However, they should only record the processing activities that satisfy one thereof.
2. Content of the record of processing activities
The information to record differs depending on whether the company is acting as a controller or a processor with regard to each processing activity.
2.1. The controller’s record of processing activities
Each controller’s record of their processing activities must contain the following information:
- Name and contact details of the controller, joint controller, controller’s representative and the data protection officer;
- The purposes of the processing activities;
- Description of the categories of data subjects and of the categories of personal data;
- The categories of recipients of the personal data;
- Details of the transfer of personal data to third countries or international organization(s) and documentation of suitable safeguards;
- Data retention period of each category of data (where possible); and
- General description of the security measures implemented (where possible).
2.2. Processor’s record of processing activities
Processors’ record of processing activities must contain the following information:
- Contact details of the processor and each controller, their respective representative and data protection officer;
- Categories of the processing carried out on behalf of each controller;
- Details of the transfer(s) of personal data to third countries or international organisations and documentation of suitable safeguards;
- Description of security measures implemented (where possible).
For any question do not hesitate to contact Arnaud Blanc,French & UK qualified lawyer based in France