The GDPR introduces record-keeping obligations for the controllers and processors. The content requirements are very similar for both of them. The records must be kept in writing, including in electronic form. They must be made available upon the supervisory authority’s request.

In accordance with Art. 30(1) GDPR, every controller (or its representative) must maintain a record of processing activities containing the following information:

  • name and contact details of the controller (and, if applicable, its representative, the joint controller and DPO)
  • the purposes of the processing
  • a description of the categories of data subjects and of personal data
  • the categories of recipients to whom the data has been/will be disclosed
  • data transfers to a third country/international organization + identification of that third country/international organization + documentation of suitable safeguards
  • where possible: the envisaged time limits for erasure of the different categories of data
  • where possible: a general description of the technical and organizational security measures

In accordance with Art. 30(2) GDPR, every processor (or its representative) must maintain a record of all categories of processing activities carried out on behalf of a controller, containing the following information:

  • the name and contact details of the processor(s) and each controller on behalf of which the processor is acting + the controller’s/processor’s representative and DPO
  • the categories of processing carried out on behalf of each controller
  • transfers of personal data to a third country/international organization + identification of that third country/international organization + documentation of suitable safeguards
  • where possible: a general description of the technical and organizational security measures

Art. 30(5) provides for an exemption from the record-keeping obligations for companies/organizations employing fewer than 250 persons. This exemption applies only if the processing

  • is not likely to result in a risk to the rights and freedoms of data subjects,
  • is occasional and
  • does not involve sensitive data

All three requirements must be met for this exemption.