Search

Records of processing activities under the GDPR

The GDPR introduces record-keeping obligations for the controllers and processors. The content requirements are very similar for both of them. The records must be kept in writing, including in electronic form. They must be made available upon the supervisory authority’s request.

In accordance with Art. 30(1) GDPR, every controller (or its representative) must maintain a record of processing activities containing the following information:

  • name and contact details of the controller (and, if applicable, its representative, the joint controller and DPO)
  • the purposes of the processing
  • a description of the categories of data subjects and of personal data
  • the categories of recipients to whom the data has been/will be disclosed
  • data transfers to a third country/international organization + identification of that third country/international organization + documentation of suitable safeguards
  • where possible: the envisaged time limits for erasure of the different categories of data
  • where possible: a general description of the technical and organizational security measures

In accordance with Art. 30(2) GDPR, every processor (or its representative) must maintain a record of all categories of processing activities carried out on behalf of a controller, containing the following information:

  • the name and contact details of the processor(s) and each controller on behalf of which the processor is acting + the controller’s/processor’s representative and DPO
  • the categories of processing carried out on behalf of each controller
  • transfers of personal data to a third country/international organization + identification of that third country/international organization + documentation of suitable safeguards
  • where possible: a general description of the technical and organizational security measures

Art. 30(5) provides for an exemption from the record-keeping obligations for companies/organizations employing fewer than 250 persons. This exemption applies only if the processing

  • is not likely to result in a risk to the rights and freedoms of data subjects,
  • is occasional and
  • does not involve sensitive data

All three requirements must be met for this exemption.

activeMind.legal Rechtsanwaltsgesellschaft is a law firm specialising in data protection law. With our partner firms in the UK and Switzerland, we cover all aspects of GDPR compliance and national data protection law in Europe.

Munich

activeMind.legal
Rechtsanwaltsgesellschaft m. b. H
Potsdamer Straße 3
80802 Munich, Germany

+49 (0) 89 / 919 29 49 00

Berlin

activeMind.legal
Rechtsanwaltsgesellschaft m. b. H
Kurfürstendamm 56
10707 Berlin, Germany

+49 (0) 30 / 770 19 10 70

Services

Resources

About

Group

© 2016-2024 activeMind.legal

powered by rethink digital & KLEINWERKSTATT

Contact us!

+49 (0)89 / 91 92 94 – 900

Full details of how we handle your data can be found in our privacy policy.

Secure the knowledge of our experts!

Subscribe to our free newsletter:

By clicking on "Subscribe now" you consent to receive our newsletter. We will only use your data in accordance with our privacy policy.