Article 30
Records of processing activities

Official
Texts
Guidelines Caselaw Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 30 keyboard_arrow_down Hide the recitals of the Regulation related to article 30 keyboard_arrow_up

(82) In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

Show the recitals of the Directive related to article 30 keyboard_arrow_down Hide the recitals of the Directive related to article 30 keyboard_arrow_up

(25) Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances;

(48) Whereas the procedures for notifying the supervisory authority are designed to ensure disclosure of the purposes and main features of any processing operation for the purpose of verification that the operation is in accordance with the national measures taken under this Directive;

(49) Whereas, in order to avoid unsuitable administrative formalities, exemptions from the obligation to notify and simplification of the notification required may be provided for by Member States in cases where processing is unlikely adversely to affect the rights and freedoms of data subjects, provided that it is in accordance with a measure taken by a Member State specifying its limits; whereas exemption or simplification may similarly be provided for by Member States where a person appointed by the controller ensures that the processing carried out is not likely adversely to affect the rights and freedoms of data subjects; whereas such a data protection official, whether or not an employee of the controller, must be in a position to exercise his functions in complete independence;

(50) Whereas exemption or simplification could be provided for in cases of processing operations whose sole purpose is the keeping of a register intended, according to national law, to provide information to the public and open to consultation by the public or by any person demonstrating a legitimate interest;

(51) Whereas, nevertheless, simplification or exemption from the obligation to notify shall not release the controller from any of the other obligations resulting from this Directive;

(52) Whereas, in this context, ex post facto verification by the competent authorities must in general be considered a sufficient measure;

The GDPR

In assessing the Directive application, it was found out that the obligation of prior notification referred to in Articles 18 and 19 generated an administrative and financial charge, without actually improving the data protection.

The EU legislature has therefore decided to replace this obligation of notification by an obligation to the controllers and the processors, to maintain a record of processing activities under their responsibility.

Thus, both the controllers and the processors (and, if applicable, their representatives) will have to keep records for all categories of processing activities under their responsibility, that is, for each processing that they implement. These records must be made available to supervisory authorities on request.

These records should include the information listed in the Regulation, which vary according to whether this register is kept by a controller or a processor.

In addition to the information on the identification of the various participants (controllers, processors, but also joint controllers or data protection officers), there are for example the purposes of the processing, a description of the categories of data subjects and related personal data categories, the categories of recipients to which the personal data have been or will be provided, the time limits set for erasure of the different categories of data, a description of the security measures, etc.

The Regulation specifies that these registers must be in written form, including electronic, or any other non-readable form which can be converted into a readable form.

There is a single exception to the obligation to keep records intended for enterprises or organizations with less than 250 employees, unless the treatment they perform is likely to include a high risk in terms of the rights and freedoms of the data subjects, the processing is not occasional, or the processing involves sensitive data referred to in Article 9 (1) or data relating to convictions or criminal offences referred to in Article 10.

The Directive

Under the Directive, Article 16 (2) authorised the Member States to provide for two exceptions to the obligation to send a notification to the supervisory authority prior to the implementation of any processing:

- the first one covered the categories of processing that are not likely to infringe the rights and the freedoms of the data subjects, given the data to process and as long as they specify the purposes, the categories of processed data, the data subjects, the recipients and the period of storage;

- the second one aimed at the assumption where the controller has designated a seconded data protection officer charged, on the one hand, to ensure the compliance of the data protection legislation and on the other hand, to maintain records of the processing activities.

Potential issues

This cancellation of the obligation of prior notification may be interpreted from two points of view. 

From the point of view of the data subjects, this could appear to be a step backward. Indeed, the existing system allowed anybody to get informed about the purposes of the processing and its main features, without being necessary to apply to the controllers via the systems of public registers kept by the authorities, from the statements or prior notifications. But who was actually exercising this possibility?

From the point of view of the controllers, it is clear that the removal of the obligation of prior notification might seem to allow them to avoid significant costs and thus facilitates their life.

Nothing could be less sure.

The real workload stood upstream when it came to identify and maintain documentation of the processing that was subject to a declaration. However, this obligation is generalized in the new system since it concerns all the activity of processing (whereas before, many processing activities were exempted from declaration and were also often not documented internally in the controller’s organization). In addition, the obligation will apply to both the controllers and the processors, or even their representatives if such are to be designated.

Retour au sommaire
Regulation
1e 2e

Art. 30

1.   Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;

(b) the purposes of the processing;

(c) a description of the categories of data subjects and of the categories of personal data;

(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

(f) where possible, the envisaged time limits for erasure of the different categories of data;

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

2.   Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;

(b) the categories of processing carried out on behalf of each controller;

(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

3.   The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

4.   The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.

5.   The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

 

 

1st proposal close

Art. 28

1.           Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.

2.           The documentation shall contain at least the following information:

(a)     the name and contact details of the controller, or any joint controller or processor, and of the representative, if any;

(b)     the name and contact details of the data protection officer, if any;

(c)     the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);

(d)     a description of categories of data subjects and of the categories of personal data relating to them;

(e)     the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them;

(f)      where applicable, transfers of data to a third country or an international organisation, including the identification of that third country or international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards;

(g)     a general indication of the time limits for erasure of the different categories of data;

(h)     the description of the mechanisms referred to in Article 22(3).

3.           The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.

4.           The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors:

(a)     a natural person processing personal data without a commercial interest; or

(b)     an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities.

5.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.

6.           The Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

2nd proposal close

Art. 28

1.  Each controller (...) and, if any, the controller's representative, shall maintain a record  of all categories of personal data processing activities under its responsibility.

This record shall contain (...) the following information:

(a) the name and contact details of the controller and any joint controller (...), controller’s representative and data protection officer, if any;

(b) (...)

(c) the purposes of the processing, including the legitimate interest when the processing is based on Article 6(1)(f);

(d) a description of categories of data subjects and of the categories of personal data relating to them;

(e) the (...) categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries;

(f) where applicable, the categories of transfers of personal data to a third  country or an international organisation (...);

(g) where possible, the envisaged time limits for erasure of the different  categories of data.

(h) where possible, a general description of the technical and organisational security measures referred to in Article 30(1).

2a. Each processor shall maintain a record of all categories of personal data processing activities carried out on behalf of a controller, containing:

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and of the controller's representative, if any;

(b) the name and contact details of the data protection officer, if any;

(c) the categories of processing carried out on behalf of each controller;

(d) where applicable, the categories of transfers of personal data to a third  country or an international organisation;

(e) where possible, a general description of the technical and organisational security measures referred to in Article 30(1).

3a. The records referred to in paragraphs 1 and 2a shall be in writing, including in an electronic or other non-legible form which is capable of being converted into a legible form.

3. On request, the controller and the processor and, if any, the controller's representative, shall make the record available (...) to the supervisory authority.

4. The obligations referred to in paragraphs 1 and 2a shall not apply to:

(a)(...);

(b) an enterprise or a body employing fewer than 250 persons, unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as (...) discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage for the data subjects, taking into account the nature, scope, context and purposes of the processing. ;

5. (...)

6. (...)

 

Directive close

No specific provision

close