The GDPR establishes new obligations with respect to controllers and processors maintaining records of processing activities. These obligations do not apply to the controllers and processors of organisations employing fewer than 250 persons when the processing being undertaken is unlikely to result in a high risk to the rights and freedoms of the data subjects, except when such risk is occasional, and does not include special categories of personal data or personal data relating to criminal convictions and offences.
These controllers and processors should maintain records of the processing activities they carry out, and for each activity the records should contain the information established in Article 30 of the GDPR.
This information includes such matters as:
- the name and contact details of the controller and, where applicable, the joint controller, and the data protection officer, where applicable;
- the purpose of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- international transfers of personal data;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures.
How should records of processing operations be organised?
One possible way of organising these records of processing activities is based on the files that are currently the subject of compulsory notification by controllers to the Catalan Data Protection Register, and which could be used to detail all the processing operations being carried on every structured set of personal data.
The records could however also be organised around specific processing operations linked to a basic purpose common to all of them (for example, “customer management”, “accounts management” or “human resources management and payroll”), or in accordance with other criteria.
The application to manage recordings of processing activities can be seen on this link.