Contact
If you are a data controller or data processor, you must draw up a record of the data processing operations you carry out. Only entities with less than 250 employees that carry out processing without risk to the rights and freedoms of people, or with an occasional risk, are excluded from this obligation, so long as they do not process special data categories or personal data related to convictions and criminal offences.
Public sector entities, data controllers and data processors must make public an inventory of their processing activities accessible by electronic means, where it is indicated:
- Name and contact details of the data controller and, if applicable, the co-controller, as well as of the data protection officer, if any.
- Purposes of the processing.
- Legal basis of the processing.
- Description of categories of data subjects and categories of personal data processed.
- Categories of recipients.
- International data transfers.
- Where possible, the deadlines for deleting the data.
- Where possible, a general description of technical and organisational security measures.
How should the record of processing operations be organised?
The record can be organised around specific processing operations, linked to a common basic purpose (for example, customer management, accounting management or human resources and payroll management), or according to other different criteria.
Highlights