1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
(a) | the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer; |
(b) | the purposes of the processing; |
(c) | a description of the categories of data subjects and of the categories of personal data; |
(d) | the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; |
(e) | where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; |
(f) | where possible, the envisaged time limits for erasure of the different categories of data; |
(g) | where possible, a general description of the technical and organisational security measures referred to in Article 32(1). |
2. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
(a) | the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer; |
(b) | the categories of processing carried out on behalf of each controller; |
(c) | where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; |
(d) | where possible, a general description of the technical and organisational security measures referred to in Article 32(1). |
3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
4. The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.
5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
The purpose of keeping records of your processing activities is to create an overview of your use of personal data. This overview is the first step in ensuring you process personal data correctly.
The records will illustrate who has access to your data internally and externally. This information will allow you to take actionable steps to ensure that the personal data is processed correctly.
It is easy to misunderstand the wording of these rules as article 30(5) at first sight might exempt you from this significant demand for your business. Most companies have less than 250 employees, but having less than 250 does not mean you are exempt from keeping a record of your processing activities.
Suppose you do non-occasional data processing, e.g. salary management or customer service. In that case, you still have to keep a record of your processing activities.
The same goes for when you process sensitive personal data, e.g. health data or if your processing is likely to involve a risk for people’s rights and freedom, which would be the case when using geolocation systems or video surveillance.
Yes, it is possible to create your records of processing activities yourself. Beware, as it requires some knowledge of the rules to do the exercise correctly. Doing this exercise can benefit your business in several ways. It provides you with an overview of all the processes with personal data. This overview is essential for your GDPR compliance and relevant information to create a better general overview of your business processes.
Delegating the GDPR compliance to a key employee within your organisation is recommended. Delegation ensures that all knowledge and coordination are centralised with one employee.
You must keep a copy of your records of processing activities in writing, which can be electronic.
You should update your records of processing activities every time a process changes or when you implement a new IT system.
Every time you change a business process involving the processing of personal data, you should evaluate how the processing of personal data is affected. If the processing has changed, then you should update your records accordingly.
A process can require many different systems, and an IT system can be used in many different personal data processes.
Customer service might use several IT systems; email, chat, and CRM. All processes in the business might use one IT system, e.g. email.
It is not mandatory, but it would be handy for GDPR compliance.
Having a separate record for your IT systems and what processes they are used in will help you stay compliant in practice. According to the GDPR, you must demonstrate that you comply with the regulation according to article 5 (2). A record of all your IT systems and how each is compliant would help you demonstrate compliance with, e.g. articles 25 and 32 on security.
Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.
Once you have submitted your details, you’ll be our top priority!
