As a controller, you shall maintain a record of processing activities under your responsibility. Similarly, your processors shall maintain a record of all categories of processing activities carried out on your behalf.
However, this obligation shall not apply if all of the following conditions are fulfilled:
- the enterprise or an organisation employs fewer than 250 persons,
- the processing it carries out is not likely to result in a risk to the rights and freedoms of data subjects,
- the processing is occasional,
- the processing does not include special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR.
Keeping records of processing operations enables you to measure the impact of the GDPR on your activities. It is therefore in any case recommended in order to demonstrate compliance with the GDPR.
What should be included in the controller’s records of processing activities?
- the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
What should be included in the processor’s record of processing activities?
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
What form should the records of processing activities take?
The GDPR does not define a unique template or format for the records of processing activities. Each controller or processor may therefore use any format, provided that the information referred to in article 30 of the GDPR is included.
In addition, the data protection authorities of France, Belgium and Bavaria also provide a model for the register of processing activities.
However, you should be aware that none of these models cover all possible situations. It is therefore possible, or even recommended, to modify one of these models or create a new one to take into account the specific context and particularities of your organization.