menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Spain) language
Contact our local member in Spain mail_outline
Visit the website of RPCC Estudio Jurídico account_balance

arrow_backPrevious Article
Article 30
Next Articlearrow_forward

Records of processing activities

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 30 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 30 keyboard_arrow_up

Articles related to article 30

Key words related to article 30

Show the recitals of the Regulation related to article 30 keyboard_arrow_down Hide the recitals of the Regulation related to article 30 keyboard_arrow_up

(82) In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

Show the recitals of the Directive related to article 30 keyboard_arrow_down Hide the recitals of the Directive related to article 30 keyboard_arrow_up

(25) Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances;

(48) Whereas the procedures for notifying the supervisory authority are designed to ensure disclosure of the purposes and main features of any processing operation for the purpose of verification that the operation is in accordance with the national measures taken under this Directive;

(49) Whereas, in order to avoid unsuitable administrative formalities, exemptions from the obligation to notify and simplification of the notification required may be provided for by Member States in cases where processing is unlikely adversely to affect the rights and freedoms of data subjects, provided that it is in accordance with a measure taken by a Member State specifying its limits; whereas exemption or simplification may similarly be provided for by Member States where a person appointed by the controller ensures that the processing carried out is not likely adversely to affect the rights and freedoms of data subjects; whereas such a data protection official, whether or not an employee of the controller, must be in a position to exercise his functions in complete independence;

(50) Whereas exemption or simplification could be provided for in cases of processing operations whose sole purpose is the keeping of a register intended, according to national law, to provide information to the public and open to consultation by the public or by any person demonstrating a legitimate interest;

(51) Whereas, nevertheless, simplification or exemption from the obligation to notify shall not release the controller from any of the other obligations resulting from this Directive;

(52) Whereas, in this context, ex post facto verification by the competent authorities must in general be considered a sufficient measure;

The GDPR

In assessing the Directive application, it was found out that the obligation of prior notification referred to in Articles 18 and 19 generated an administrative and financial charge, without actually improving the data protection.

The EU legislature has therefore decided to replace this obligation of notification by an obligation to the controllers and the processors, to maintain a record of processing activities under their responsibility.

Thus, both the controllers and the processors (and, if applicable, their representatives) will have to keep records for all categories of processing activities under their responsibility, that is, for each processing that they implement. These records must be made available to supervisory authorities on request.

These records should include the information listed in the Regulation, which vary according to whether this register is kept by a controller or a processor.

In addition to the information on the identification of the various participants (controllers, processors, but also joint controllers or data protection officers), there are for example the purposes of the processing, a description of the categories of data subjects and related personal data categories, the categories of recipients to which the personal data have been or will be provided, the time limits set for erasure of the different categories of data, a description of the security measures, etc.

The Regulation specifies that these registers must be in written form, including electronic, or any other non-readable form which can be converted into a readable form.

There is a single exception to the obligation to keep records intended for enterprises or organizations with less than 250 employees, unless the treatment they perform is likely to include a high risk in terms of the rights and freedoms of the data subjects, the processing is not occasional, or the processing involves sensitive data referred to in Article 9 (1) or data relating to convictions or criminal offences referred to in Article 10.

The Directive

Under the Directive, Article 16 (2) authorised the Member States to provide for two exceptions to the obligation to send a notification to the supervisory authority prior to the implementation of any processing:

- the first one covered the categories of processing that are not likely to infringe the rights and the freedoms of the data subjects, given the data to process and as long as they specify the purposes, the categories of processed data, the data subjects, the recipients and the period of storage;

- the second one aimed at the assumption where the controller has designated a seconded data protection officer charged, on the one hand, to ensure the compliance of the data protection legislation and on the other hand, to maintain records of the processing activities.

Potential issues

This cancellation of the obligation of prior notification may be interpreted from two points of view. 

From the point of view of the data subjects, this could appear to be a step backward. Indeed, the existing system allowed anybody to get informed about the purposes of the processing and its main features, without being necessary to apply to the controllers via the systems of public registers kept by the authorities, from the statements or prior notifications. But who was actually exercising this possibility?

From the point of view of the controllers, it is clear that the removal of the obligation of prior notification might seem to allow them to avoid significant costs and thus facilitates their life.

Nothing could be less sure.

The real workload stood upstream when it came to identify and maintain documentation of the processing that was subject to a declaration. However, this obligation is generalized in the new system since it concerns all the activity of processing (whereas before, many processing activities were exempted from declaration and were also often not documented internally in the controller’s organization). In addition, the obligation will apply to both the controllers and the processors, or even their representatives if such are to be designated.

arrow_back Previous ArticleArticle 30Next Article arrow_forward
arrow_back Previous ArticleArticle 30 Next Article arrow_forward
arrow_back Previous Article Article 30 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-60/22 (4 May 2023) - Bundesrepublik Deutschland

1.      Article 17(1)(d) and Article 18(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that failure by the controller to comply with the obligations laid down in Articles 26 and 30 of that regulation, which relate, respectively, to the conclusion of an arrangement determining joint responsibility for processing and to the maintenance of a record of processing activities, does not constitute unlawful processing conferring on the data subject a right to erasure or restriction of processing, where such a failure does not, as such, entail an infringement by the controller of the principle of ‘accountability’ as set out in Article 5(2) of that regulation, read in conjunction with Article 5(1)(a) and the first subparagraph of Article 6(1) thereof.

2.      EU law must be interpreted as meaning that, where the controller of personal data has failed to comply with its obligations under Articles 26 or 30 of Regulation 2016/679, the lawfulness of the taking into account of such data by a national court is not subject to the data subject’s consent.

Judgment of the Court 

Retour au sommaire Retour au sommaire
arrow_back Previous Article Article 30 Next Article arrow_forward
Regulation
1e 2e

Art. 30

1.   Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;

(b) the purposes of the processing;

(c) a description of the categories of data subjects and of the categories of personal data;

(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

(f) where possible, the envisaged time limits for erasure of the different categories of data;

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

2.   Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;

(b) the categories of processing carried out on behalf of each controller;

(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

3.   The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

4.   The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.

5.   The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

 

 
1st proposal close

Art. 28

1.           Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.

2.           The documentation shall contain at least the following information:

(a)     the name and contact details of the controller, or any joint controller or processor, and of the representative, if any;

(b)     the name and contact details of the data protection officer, if any;

(c)     the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);

(d)     a description of categories of data subjects and of the categories of personal data relating to them;

(e)     the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them;

(f)      where applicable, transfers of data to a third country or an international organisation, including the identification of that third country or international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards;

(g)     a general indication of the time limits for erasure of the different categories of data;

(h)     the description of the mechanisms referred to in Article 22(3).

3.           The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.

4.           The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors:

(a)     a natural person processing personal data without a commercial interest; or

(b)     an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities.

5.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.

6.           The Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
2nd proposal close

Art. 28

1.  Each controller (...) and, if any, the controller's representative, shall maintain a record  of all categories of personal data processing activities under its responsibility.

This record shall contain (...) the following information:

(a) the name and contact details of the controller and any joint controller (...), controller’s representative and data protection officer, if any;

(b) (...)

(c) the purposes of the processing, including the legitimate interest when the processing is based on Article 6(1)(f);

(d) a description of categories of data subjects and of the categories of personal data relating to them;

(e) the (...) categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries;

(f) where applicable, the categories of transfers of personal data to a third  country or an international organisation (...);

(g) where possible, the envisaged time limits for erasure of the different  categories of data.

(h) where possible, a general description of the technical and organisational security measures referred to in Article 30(1).

2a. Each processor shall maintain a record of all categories of personal data processing activities carried out on behalf of a controller, containing:

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and of the controller's representative, if any;

(b) the name and contact details of the data protection officer, if any;

(c) the categories of processing carried out on behalf of each controller;

(d) where applicable, the categories of transfers of personal data to a third  country or an international organisation;

(e) where possible, a general description of the technical and organisational security measures referred to in Article 30(1).

3a. The records referred to in paragraphs 1 and 2a shall be in writing, including in an electronic or other non-legible form which is capable of being converted into a legible form.

3. On request, the controller and the processor and, if any, the controller's representative, shall make the record available (...) to the supervisory authority.

4. The obligations referred to in paragraphs 1 and 2a shall not apply to:

(a)(...);

(b) an enterprise or a body employing fewer than 250 persons, unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as (...) discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage for the data subjects, taking into account the nature, scope, context and purposes of the processing. ;

5. (...)

6. (...)

 
Directive close

No specific provision
Spain
compare_arrows

Artículo 31. Registro de las actividades de tratamiento.

1. Los responsables y encargados del tratamiento o, en su caso, sus representantes deberán mantener el registro de actividades de tratamiento al que se refiere el artículo 30 del Reglamento (UE) 2016/679, salvo que sea de aplicación la excepción prevista en su apartado 5.

El registro, que podrá organizarse en torno a conjuntos estructurados de datos, deberá especificar, según sus finalidades, las actividades de tratamiento llevadas a cabo y las demás circunstancias establecidas en el citado reglamento.

Cuando el responsable o el encargado del tratamiento hubieran designado un delegado de protección de datos deberán comunicarle cualquier adición, modificación o exclusión en el contenido del registro.

2. Los sujetos enumerados en el artículo 77.1 de esta ley orgánica harán público un inventario de sus actividades de tratamiento accesible por medios electrónicos en el que constará la información establecida en el artículo 30 del Reglamento (UE) 2016/679 y su base legal.

Disposición final undécima. Modificación de la Ley 19/2013, de 9 de diciembre, de transparencia, acceso a la información pública y buen gobierno.

Se modifica la Ley 19/2013, de 9 de diciembre, de transparencia, acceso a la información pública y buen gobierno, en los siguientes términos:

Uno. Se añade un nuevo artículo 6 bis, con la siguiente redacción:

«Artículo 6 bis. Registro de actividades de tratamiento.

Los sujetos enumerados en el artículo 77.1 de la Ley Orgánica de Protección de Datos Personales y Garantía de los Derechos Digitales, publicarán su inventario de actividades de tratamiento en aplicación del artículo 31 de la citada Ley Orgánica.»

Dos. El apartado 1 del artículo 15 queda redactado como sigue:

«1. Si la información solicitada contuviera datos personales que revelen la ideología, afiliación sindical, religión o creencias, el acceso únicamente se podrá autorizar en caso de que se contase con el consentimiento expreso y por escrito del afectado, a menos que dicho afectado hubiese hecho manifiestamente públicos los datos con anterioridad a que se solicitase el acceso.

Si la información incluyese datos personales que hagan referencia al origen racial, a la salud o a la vida sexual, incluyese datos genéticos o biométricos o contuviera datos relativos a la comisión de infracciones penales o administrativas que no conllevasen la amonestación pública al infractor, el acceso solo se podrá autorizar en caso de que se cuente con el consentimiento expreso del afectado o si aquel estuviera amparado por una norma con rango de ley.»

---

Article 31. Registration of treatment activities.

1. Controllers and processors or, where applicable, their representatives shall keep the register of processing activities referred to in Article 30 of Regulation (EU) 2016/679, unless the exception provided for in paragraph 5 thereof applies.

The register, which may be organized around structured sets of data, must specify, according to its purposes, the processing activities carried out and the other circumstances established in the aforementioned regulation.

Where the controller or processor has appointed a data protection officer, he/she shall notify him/her of any additions, modifications or deletions to the contents of the register.

2. The subjects listed in Article 77.1 of this Organic Law shall make public an inventory of their processing activities accessible by electronic means containing the information set out in Article 30 of Regulation (EU) 2016/679 and its legal basis.

Eleventh final provision. Modification of Law 19/2013, of December 9, on transparency, access to public information and good governance.

Law 19/2013, of December 9, 2013, on transparency, access to public information and good governance, is amended as follows:

A new article 6 bis is added, with the following wording: "Article 6 bis. Registration of treatment activities.

The subjects listed in Article 77.1 of the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights shall publish their inventory of processing activities in application of Article 31 of the aforementioned Organic Law."

Two. Paragraph 1 of Article 15 shall read as follows:

"If the information requested contains personal data revealing ideology, trade union affiliation, religion or beliefs, access may only be authorized with the express written consent of the data subject, unless the data subject had manifestly made the data public prior to the request for access.

If the information includes personal data referring to racial origin, health or sex life, includes genetic or biometric data or contains data relating to the commission of criminal or administrative offenses that do not entail a public warning to the offender, access may only be authorized with the express consent of the person concerned or if it is covered by a regulation with the rank of law".
arrow_back Previous ArticleArticle 30 Next Article arrow_forward
close

2016 - www.itiplaw.eu.