Author: Laura Carmichael, Emma Cradock and Sophie Stalla-Bourdillon
- Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
(a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
(f) where possible, the envisaged time limits for erasure of the different categories of data;
(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
(b) the categories of processing carried out on behalf of each controller;
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
- The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
- The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make record available to the supervisory authority on request.
- The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
I. General remarks
Accountability is a critical concept under the GDPR (see Art. 5 para. 2) – it is not enough for personal data to be processed in line with the principles of data protection alone (see Art. 5 para. 1); controllers must also be able to demonstrate their compliance with these principles in practice (→ Art. 5 para. 2).[1] Art. 30 therefore introduces one of the new data governance responsibilities[2] under the GDPR, i.e. the obligation for controllers, processors and (where applicable) their representatives, to maintain a record of the processing activities under their responsibility.
A key purpose for Art. 30 is to enable controllers, processors and (where applicable) their representatives to (better) understand the processing activities they undertake and which other obligations and rights are applicable to them.[3] A maintained record of processing activities therefore provides for a useful basis for carrying out other compliance activities required by the GDPR – such as DPIAs[4] (→ Art. 35) and handling data subjects’ requests[5] (see Art. 12). Furthermore, the requirement to maintain records can be seen as complementing the principle of transparency (see Art. 5, Art. 13 and Art. 14), as such records can also be communicated to data subjects, as well as SAs when requested for monitoring purposes (see recital 82 sentence 2).
II. Legislative history
Whilst this is a new EU-wide requirement, some Member States had previously required the maintenance of such a record under the DPD. For example, companies in Germany had already been required to maintain an index of processing activities (Verfahrensverzeichnis) under the BDSG aF.[6] For companies that already have information asset registers, a record of processing activities can be viewed as “a top-level summary”[7] of such registers.
For controllers (and their representatives), the obligation to maintain a record of processing activities can be seen as a replacement of the general obligation to notify the processing of personal data to the SAs under Art. 18 of the DPD (see recital 89). This general obligation to notify has been removed under the new framework, as it was seen to create “administrative and financial burdens” and “did not in all cases contribute to improving the protection of personal data” (as per recital 89 sentence 2).
The documentation of controllers and (where applicable) their representatives must at least contain the information mentioned in Art. 30 para. 1 lit. a to lit. g; this is broadly the same as the information that controllers had to include in their notification to the SA under Art. 19 para. 1 of the DPD. However, Member State implementations of these notification requirements differed in levels of detail. For example, in the UK, section 16 of the repealed Data Protection Act 1998 required only high-level information of the controllers’ processing activities as a whole, whereas the French implementation required more detailed information.[8] Records must now further include: the identities and contact details of joint controllers and DPOs (see Art. 30 para. 1 lit. a); the envisaged time limits for erasure of different categories of data (see Art. 30 para. 1 lit. f); and documentation of suitable safeguards in relation to transfers to third countries (see Art. 30 para. 1 lit. e).
For many processors, holding such documentation is a new obligation, since they had not been required to register with an SA under the DPD (with the exception of Ireland).[1] For some processors that do not already possess similar records that they can leverage for this requirement, fulfilment of the obligation could be more costly and burdensome (unless an organisation has acted as both a controller and a processor).
[…]
[1]Section 16 para. 1 lit. d and lit. e of the Data Protection Act 1988 (Ireland).
[1]It is also important to note that legal requirements placed on companies to record their activities extend beyond data protection law, e.g., “tax law and auditing” – as stated in: European Union Agency for Fundamental Rights (FRA), and CoE, Handbook on European Data Protection Law, April 2018, 178, https://www.echr.coe.int/documents/handbook_data_protection_eng.pdf.
[2]Other new data governance responsibilities include (where applicable) the obligations to carry out DPIAs (see Art. 35) and appoint a DPO (see Art. 37) – as stated in: Sahar Bhaimia, ‘The General Data Protection Regulation: the Next Generation of EU Data Protection,’ Legal Information Management 18, no. 1 (March 2018): 25.
[3]For instance, controllers, processors and (where applicable) their representatives should begin with “an information audit or data-mapping exercise” – as outlined in: ICO, ‘Guide to the General Data Protection Regulation: How do we document our processing activities?,’ accessed 18.1.2021, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/documentation/how-do-we-document-our-processing-activities. For further information about data mapping, see Fulford/Oastler, ‘People, processes, technology – a how to guide to data mapping,’ Privacy & Data Protection 16, No. 8 (September 2016), 6–8; internal data flow mapping is also mentioned in: Kotschy, ‘Art. 30’, in Kuner/Bygrave/Docksey, 621; for other practical steps, see Robyn Post, ‘GDPR Top Ten #4: Maintaining records of processing activities,’ Deloitte, March 10, 2017, https://www2.deloitte.com/nl/nl/pages/risk/articles/cyber-security-privacy-gdpr-top-ten-4-maintaining-records-processing-activities.html.
[4]As highlighted in: Tsakiridi, ‘A practical guide to conducting Data Protection Impact Assessments,’ Privacy & Data Protection 18, No. 7 (July/August 2018):14. It is noted that guidance from the DPC also states: ‘Records of processing operations should include relevant risk information including reasons why a DPIA needs to be carried out, or not’ in: DPC, “List of Types of Data Processing Operations which require a Data Protection Impact Assessment,” November 15, 2018, 2, https://www.dataprotection.ie/sites/default/files/uploads/2018-11/Data-Protection-Impact-Assessment.pdf.
[5]As emphasised in: Clark, ‘Practical strategies for dealing with Data Subject Requests’, Privacy & Data Protection 19, No. 3, 17.
[6]In this regard, see: Deloitte, ‘The new records of data processing activities: What are the requirements of the EU-GDPR?’, accessed January 18, 2021, https://www2.deloitte.com/dl/en/pages/legal/articles/dsgvo-verfahrensverzeichnis.html.
[7]As stated in: Wyeth, ‘GDPR series: Record of processing activities (Legislative Comment)’, Privacy & Data Protection 18, No. 1, 16.
[8]See Loi n° 78–17.