Record of processing activities

Regulation (EU) 2016/679 of the European Parliament and of the Council (further referred to as the “GDPR”) imposed new obligations on controllers and processors. One such obligation is to maintain a record of processing activities. Below we specify when maintaining the record is obligatory.

Obligations of a data controller

The obligations of a data controller under the GDPR include, among others, implementing relevant technical and organisational measures to process personal data in accordance with the GDPR, maintaining a record of processing activities and conducting a personal data breach risk analysis.

Obligations of a processor

The obligations of a processor include maintaining a record of the categories of processing activities carried out on behalf of the controller.

Purpose of record keeping

According to the recitals of the GDPR, maintaining both records serves the following functions:

1. ensuring compliance with the GDPR;
2. allowing the President of the Personal Data Protection Office to exercise supervision over the processing of personal data.

Requirement to maintain a record of processing activities and a record of the categories of processing activities

In principle, each controller is required to maintain a record of processing activities (while a processor must maintain a record of the categories of processing activities).

However, under the GDPR, this obligation does not apply to entities with less than 250 employees, unless the processing of personal data:

1. may result in a risk to the rights and freedoms of data subjects;
2. is not occasional;
3. involves special categories of personal data or the personal data relating to criminal convictions. 

Record of processing activities

The record of processing activities should include, at a minimum:

1. details of the controller (first name and surname, business name, contact details, etc.);
2. purposes of the processing;
3. description of the categories of data subjects;
4. categories of personal data;
5. categories of recipients;
6. information on the transfer of data to a third country;
7. time limit for erasure of data;
8. description of security measures.

Record of the categories of processing activities

A record of the categories of processing activities should include, at a minimum:

1. details of the controllers and the processor (first name and surname, business name, contact details, etc.);
2. categories of processing activities carried out on behalf of each controller;
3. information on the transfer of data to a third country;
4. description of security measures.

Form of record keeping

Both records, i.e. the record of processing activities and the record of the categories of processing activities, are to be maintained in writing, but they may also be kept in electronic form.

Summary

To sum up, maintaining the records referred to above is a new obligation imposed on large business entities or those processing special categories of data. The purpose of record keeping is to enable the monitoring of personal data processing for each of such entities. The scope of information to be included in the records of personal data processing activities under the GDPR is non-exhaustive, therefore controllers (processors) may incorporate additional elements in them to streamline their operations. It is also important to note that failure to maintain the records as required under the GDPR runs the risk of high administrative penalties that can be imposed by the supervisory authority.

Back to GDPR lawyer