Records of processing activities | GDPR Article 30

Records of processing activities | GDPR Article 302019-08-18T11:32:51+00:00

Comprehensive guidelines about the records of processing activities under the GDPR with access to templates and examples from data protection authorities.

Related articles:

What are records of processing activities

Records of processing activities are an accountability measure brought by Article 30 of the GDPR which requires businesses and organisations to document personal data flows that occur within the company.  

This measure came into effect to replace the old obligation laid out by many EU Member States of registering filing systems before a Registry and it is the first step to take to implement a true culture of privacy and data protection accountability within an organisation.

Furthermore, records of processing activities must be available to the supervisory authority that requests it. Therefore, it is highly advisable that you always record new processing activities before releasing them to production and you keep the records up to date (recital 82 and article 30 RGPD).

Who should maintain a record of processings

Subjects required to maintain a record of their processing activities are controllers, processors and, where applicable, their representatives, whenever their processing activities fall under the scope of application of the GDPR.

If you perform one of the above roles when processing personal data, then chances are that you should maintain records of your processings, unless you can resort to Article 30.5 derogation. This exception from the obligation to maintain the records can be used by companies or organisations that employ fewer than 250 employees, except where their processing:

  1. is likely to result in a risk to the rights and freedoms of data subjects, or;
  2. is not occasional, or;
  3. includes special categories of data, or personal data relating to criminal convictions and offences.

Since these conditions are drafted alternatively in the GDPR, it seems very unlikely to qualify for this exception, therefore most companies that are dealing with personal data will in practice, probably, have to maintain records of their processing activities.

Content of a record of processing activities

In the records of processing activities you should list the processing activities that you carry out within your company and provide, at least, the information set out by the GDPR.

Regarding how much information it should cover, minimum and concise information should be sufficient, resting in your capacity the decision of going more or less into detail. What is important here is filling in all the required fields and doing so with accurate information.

Ideally, you should make a good description of each processing activity, as this will help you out on a later stage to analyse risks and, where required, carry out data protection impact assessments.

Moving on to what information must be included on the records, it depends on whether you are a controller or a processor.

Records of controllers

If you are the controller, you should include all the information set forth in article 30.1 and 32.1 of the GDPR, namely:

  1. Your name and contact details and, where applicable, those of the joint controller, of your representative, and of the data protection officer;
  2. The purposes of the processing;
  3. A description of the categories of data subjects and of the categories of personal data;
  4. The categories of recipients to whom you disclose or will disclose personal data, including recipients in third countries or international organisations;
  5. Transfers of personal data to a third country or an international organisation, stating the recipient and, in the event that you base any transfers in your compelling legitimate interests, the documentation of suitable safeguards;

Furthermore, where possible, you should record:

  1. The envisaged time limits for erasure of the different categories of data;
  2. A general description of the security measures including, inter alia:
    1. the pseudonymisation and encryption of personal data;
    2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
    4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Records of processors

If you are a processor, you should include the following information:

  1. Your name and contact details and those of each controller on behalf of which you act and, where applicable, those of your representative, the controller’s representative, and of the data protection officer;
  2. The categories of processing carried out on behalf of each controller;
  3. Transfers of personal data to a third country or an international organisation, stating the recipient and, in the event that you base any transfers in your compelling legitimate interests, the documentation of suitable safeguards;

Same as for controllers, where possible you should also add a general description of the security measures.

Records of processing activities templates

There is no template or standardised form of mandatory adoption, on the contrary, the choice to execute the record in one way or another belongs to you as a controller or processor.

Nonetheless, using or building on a recognised form is a guarantee that at least the structure of the record is going to be correct, whereas the content is something that depends completely on the processing activities that you carry out within your organisation, and the choice of one template or another does not help with that.

In the section below you will find three different templates, two from the Spanish data protection authority (AEPD) and one from the Information Commissioner’s Office (ICO), which is the data protection authority from the UK.

Examples of records of processing activities from the AEPD

The first template is the records of processing activities of the Spanish data protection authority, which was made publicly available on their transparency portal recently. You can check it by clicking here.

Besides from their own record, the AEPD also gave some guidelines on how to draft records of processing activities in the “Guía práctica de análisis de riesgos para el tratamiento de datos personales“.

In the guide mentioned above, the Agency describes how to draft them, which information needs to be included and also provides a template in the annex, both for controllers and processors.

Template of records of processing activities from the ICO

The ICO explains on its website the obligations of documentation that both controllers and processors have, offering also some excel templates that are available for download. You can find both forms here, at the end of the page.

In these models, the fields for the information that the GDPR requires as mandatory are filled with a green background, whereas the fields added by the ICO that are voluntary are colored in blue.

As said before, the choice to use one template or another (or none) depends entirely on you, since there is no unique way to draft it. If you ask me, I personally prefer the example of the AEPD because it leaves room for more information.

Template of records of processing activities for controllers of the CNIL

On 25 July 2019 the French data protection authority published a new template of records of processing activities. The proposal of the CNIL is especially addressed to help small organizations that act as data controllers and consists of a basic template to meet the most common needs that a processing of personal data may present.

The CNIL template is included in a spreadsheet in ods format which is made up of 4 sections: (i) Tutorial; (ii) List of processings; (iii) Record template, and; (iv) Record example.

The records template is available on the CNIL website in French, but for those of you who are interested and want to use it, I have translated it into Spanish and English:

Others also viewed…

Who does the GDPR apply to
GDPR representative in the EU. Personal data protection and privacy. European Union
GDPR data protection officer (DPO). When must be appointed, role, requirements, duties and salary
International data transfers. Transfers of data outside the EU
GDPR principles of data protection
Records of processing activities under the GDPR guidelines. Article 30. Templates and examples
special categories gdpr sensitive personal data
GDPR data subject rights
GDPR data protection impact assessment DPIA. Privacy
GDPR information security requirements and controls
GDPR fines and sanctions for breaching the law
GDPR and blockchain. Issues and solutions for ensuring compliance