In principle, each controller shall maintain a record of personal-data processing activities under its responsibility, and each processor shall maintain a record of all categories of processing activities carried out on behalf of a controller.
GDPR sets out the mandatory elements of such records, but other elements, which may prove useful in structuring data processing activities, can also be considered.
Who should keep these records and in what cases:
In practice, essentially:
Almost every controller (see below for exceptions) is required to keep a record of personal-data processing activities. Such a record is supposed to contain those processing activities for which the given entity is a controller (or joint controller). For example, a record maintained by an entity that has personnel should include the processing activities related to personnel recruitment.
Each processor (see below for exceptions) is required to maintain a record of all categories of processing activities carried out on behalf of a controller. Consequently, this record should include those categories of processing activities for which the entity is a processor on behalf of other controllers. For example, a record of all categories of processing activities maintained by an entity that provides IT services to its clients, where it processes on their behalf personal data of their employees, should also contain processing activities carried out in connection with the provision of IT services to clients.
When personal-data processing records do not need to be kept:
Under the GDPR, record-keeping obligations do not apply to an enterprise or an organisation employing fewer than 250 persons unless:
The processing it carries out is likely to result in a risk to the rights or freedoms of data subjects;
The processing is not occasional;
The processing involves:
special categories of data as referred to in Article 9(1) of the GDPR;
or personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR.
The scope of the above exemption based on the 250-employee threshold may at first glance appear broad. However, as indicated above, the GDPR at the same time provides that in certain cases an entity is required to keep a processing record even if it employs fewer than 250 persons.
According to the position of Article 29 Working Party (now the European Data Protection Board), such a 'smaller' entity should implement the record-keeping obligation when any of the following situations arise:
The processing it carries out is likely to result in a risk to the rights or freedoms of data subjects;
The processing is not occasional;
The processing involves special categories of personal data referred to in Article 9(1) of the GDPR or personal data relating to criminal convictions and offences.
In practice, the triggers for the requirement to keep a processing record by 'smaller' entities are so frequent that the absence of a requirement to keep such a record will be relatively rare. For example, in the case of employers, there is in principle always a prerequisite triggering the obligation to keep a record of the processing of special categories of data. This is because employers process personnel’s health information. Similarly, in business transactions, situations where it can reasonably be argued that the processing of personal data carried out by the entity is occasional rather than (more or less) permanent will be very rare.
Why keep records of processing activities:
As indicated in Recital 82 of the GDPR preamble, records are kept to demonstrate compliance with the GDPR and to enable the supervisory authority to monitor personal-data processing operations.
Without doubt, properly kept records allow to systematise processing activities. As the President of the Data Protection Authority (PDPA) points out:
Thanks to the information collected in these records, controllers and processors can also assess the extent to which other obligations under the General Regulation apply to them, e.g. the requirement to carry out a data protection impact assessment of the processing, which is foreseen under the Regulation, inter alia, in situations of large-scale processing of special categories of personal data referred to in Article 9(1) of the GDPR, or personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR. By complying with the requirement set out in Article 30 of the GDPR, you will be able to continuously review your personal data processing activities and subject each newly introduced or modified process to an assessment at its earliest stage.
Importantly, record keeping is an ongoing activity. Records should be updated on an ongoing basis to reflect the current state related to data processing in the organisation. Reliably maintained records can be an extremely useful tool for managing personal data processing activities - among other things, by facilitating the compliance of processing with the GDPR.
What elements should the record of personal-data processing activities contain:
The GDPR lists the following mandatory elements of the record of processing activities:
The name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
The purposes of processing;
A description of the categories of data subjects and of the categories of personal data;
Categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
Where applicable, information on transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
Where possible, the envisaged time limits for erasure of the different categories of data;
Where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR.
It is imperative for the record of processing activities to always contain the information referred to in points (a) - (d). The information referred to in point (e) should be included if the controller transfers data outside the EEA. The remaining information should be included in the record “where possible”.
In practice, it is advisable for the record to contain all relevant information. Indeed, it is difficult to show in which cases the inclusion of such information in the record, even if only in a partial form, would be reasonably impossible.
Can a record of processing activities contain additional elements:
The PDPA states in the Guidelines that the record may also contain other elements that the controller considers reasonable and useful in the context of demonstrating compliance with the GDPR (e.g. legal basis of processing, source of data acquisition, IT system used, information on the outcome of a DPIA, indication of process owners, etc.).
What is meant by the term ‘processing activities’:
The record is supposed to cover ‘processing activities’ but the GDPR does not specify how this term is to be understood. According to the PDPA:
Processing activities are a set of interrelated data operations performed by one or more persons, which can be identified in an aggregated manner in relation to the purpose for which the activities are undertaken.
So should the record describe every component of a processing operation in detail? No, there is no such need. The PDPA explains this based on the following example:
In the case of recruitment of staff, a single purpose will comprise a number of sub-operations that do not need to be described in detail in the record, such as the extraction of information about the candidates from the offers sent as a result of the advertisement, their selection, the extraction of additional information through interviews with selected candidates, the deletion of the data of persons not selected for employment, etc. It is not necessary to describe each individual operation performed on the data in the process collectively referred to as “personnel recruitment” as this is not necessary to characterise the processing in light of the criteria indicated in Article 30(1) of the GDPR.
Mandatory elements of the record of all categories of processing activities:
The GDPR indicates the following mandatory elements that a record of all categories of processing activities maintained by a processor must contain:
The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;
The categories of processing carried out on behalf of each controller;
Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
Where possible, a general description of technical and organisational security measures referred to in Article 32(1) of the GDPR.
It is imperative that the record of categories of processing activities contain the information referred to in (a) - (b). The information referred to in point (c) should be included if the processor transfers data outside the EEA. The remaining information should be included in the record “where possible”.
In practice, it is advisable for the record to contain all relevant information. Indeed, it is difficult to show in which cases the inclusion of such information in the record, even if only in a partial form, would be reasonably impossible.
Can a processor’s record of categories of processing activities contain additional elements:
Similarly to the record of processing activities, the record of all categories of data processing may also contain additional elements. For example, the PDPA mentions in the Guidelines that such elements may include the duration of the contract, the IT system used for processing, contact details of further processors, etc.
In what form should these records be kept:
Under the GDPR, they should be in written form, including electronic. As the PDPA confirms in the Guidelines, entities are free to adopt any layout of information on individual processing activities.
Here are some of the PDPA’s suggestions regarding the layout of records:
It is advisable that the information on the name of the controller/processor (in the case of a record of categories), its contact details, the name of the representative and his/her contact details and the name and contact details of the data protection officer be provided only once, e.g. on the title page of the record.
It is advisable to enter the name or description of the processingactivity in the record of processingactivities as the first item next to the entry in question, followed by other information about the activity.
It is advisable to include in the record of all categories of processing activities, as the first item next to the respective entry:
The name of a given ‘category of the processing activity’ (type of service) as a value allowing to group record entries;
The name and contact details of the data controller for which the service is being provided;
The name and contact details of the controller's representative - if applicable - and the name and contact details of the data protection officer appointed by the controller.
It is important for the controller or processor to be able in each case to clearly and transparently present the elements required under Article 30(1) and (2) of the GDPR with respect to all conducted processing of personal data.
Commentary to art. 30
Records of personal-data processing activities
Who should keep these records and in what cases:
In practice, essentially:
When personal-data processing records do not need to be kept:
Under the GDPR, record-keeping obligations do not apply to an enterprise or an organisation employing fewer than 250 persons unless:
The scope of the above exemption based on the 250-employee threshold may at first glance appear broad. However, as indicated above, the GDPR at the same time provides that in certain cases an entity is required to keep a processing record even if it employs fewer than 250 persons.
According to the position of Article 29 Working Party (now the European Data Protection Board), such a 'smaller' entity should implement the record-keeping obligation when any of the following situations arise:
In practice, the triggers for the requirement to keep a processing record by 'smaller' entities are so frequent that the absence of a requirement to keep such a record will be relatively rare. For example, in the case of employers, there is in principle always a prerequisite triggering the obligation to keep a record of the processing of special categories of data. This is because employers process personnel’s health information. Similarly, in business transactions, situations where it can reasonably be argued that the processing of personal data carried out by the entity is occasional rather than (more or less) permanent will be very rare.
Why keep records of processing activities:
As indicated in Recital 82 of the GDPR preamble, records are kept to demonstrate compliance with the GDPR and to enable the supervisory authority to monitor personal-data processing operations.
Without doubt, properly kept records allow to systematise processing activities. As the President of the Data Protection Authority (PDPA) points out:
Importantly, record keeping is an ongoing activity. Records should be updated on an ongoing basis to reflect the current state related to data processing in the organisation. Reliably maintained records can be an extremely useful tool for managing personal data processing activities - among other things, by facilitating the compliance of processing with the GDPR.
The President of the Personal Data Protection Authority has published [in Polish] the Guidelines and Explanations on the Obligation to Record Processing Activities and Categories of Processing Activities Set Out in Article 30(1) and (2) of the GDPR (Wskazówki i wyjaśnienia dotyczące obowiązku rejestrowania czynności i kategorii czynności przetwarzania określonego w art. 30 ust. 1 i 2 RODO), which offer some practical explanations on record keeping.
What elements should the record of personal-data processing activities contain:
The GDPR lists the following mandatory elements of the record of processing activities:
It is imperative for the record of processing activities to always contain the information referred to in points (a) - (d). The information referred to in point (e) should be included if the controller transfers data outside the EEA. The remaining information should be included in the record “where possible”.
In practice, it is advisable for the record to contain all relevant information. Indeed, it is difficult to show in which cases the inclusion of such information in the record, even if only in a partial form, would be reasonably impossible.
Can a record of processing activities contain additional elements:
The PDPA states in the Guidelines that the record may also contain other elements that the controller considers reasonable and useful in the context of demonstrating compliance with the GDPR (e.g. legal basis of processing, source of data acquisition, IT system used, information on the outcome of a DPIA, indication of process owners, etc.).
What is meant by the term ‘processing activities’:
The record is supposed to cover ‘processing activities’ but the GDPR does not specify how this term is to be understood. According to the PDPA:
So should the record describe every component of a processing operation in detail? No, there is no such need. The PDPA explains this based on the following example:
Mandatory elements of the record of all categories of processing activities:
The GDPR indicates the following mandatory elements that a record of all categories of processing activities maintained by a processor must contain:
It is imperative that the record of categories of processing activities contain the information referred to in (a) - (b). The information referred to in point (c) should be included if the processor transfers data outside the EEA. The remaining information should be included in the record “where possible”.
In practice, it is advisable for the record to contain all relevant information. Indeed, it is difficult to show in which cases the inclusion of such information in the record, even if only in a partial form, would be reasonably impossible.
Can a processor’s record of categories of processing activities contain additional elements:
Similarly to the record of processing activities, the record of all categories of data processing may also contain additional elements. For example, the PDPA mentions in the Guidelines that such elements may include the duration of the contract, the IT system used for processing, contact details of further processors, etc.
In what form should these records be kept:
Under the GDPR, they should be in written form, including electronic. As the PDPA confirms in the Guidelines, entities are free to adopt any layout of information on individual processing activities.
Here are some of the PDPA’s suggestions regarding the layout of records: