Records of processing activities: explanation
The records of processing activities are a crucial tool for corporate compliance that the new law in terms of data privacy (GDPR General Data Protection Regulation) offers. This documentation is explained in the art. 30 of the EU GDPR: “Records of processing activities”. The first paragraph provides a clear explanation of the content of these records.
Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49, the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32.
Records of processing activities: when do we need the documentation?
Paragraph 2 of the same article explains:
Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49, the documentation of suitable safeguards;
- where possible, a general description of the technical and organisational security measures referred to in Article 32.
Basically, the persone responsible for the processing operations, in case there is one, his representative, must keep the records of the processing activities made on behalf of a Data Controller. This step is necessary to ensure compliance to the organization. Moreover, in the same paragraph is specified the content of the documentation.
Anyway, the keeping of such documentation is not general. Not every company must keep the records of the processing activities. Paragraph 5 of the same article says:
The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
Records of processing activities: additional information
Paragraph 3 of art. 30 specifies:
The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
While paragraph 4 of the same article focuses the attention on the availability of these records in case of a request from authorities:
The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.
Records of processing activities: a tool for compliance
In order to assure to your business the best tool available, Swascan together with Raoul Chiesa ( Raoul Chiesa interview ) developed a special cybersecurity platform. It is completely in Cloud, Pay per Use and SaaS. You can see for yourself in our brochure: Cybersecurity platform and have an in-depth look at our services. Our four services cover all the governance needs in terms of risk management and periodic assessment. Basically, the right tools to understand your focus areas are Vulnerability Assessment, Network Scan, Code Review and GDPR Assessment. Last but not least, don’t forget GDPR: our platform is 100% GDPR compliant ( GDPR infographic ) and to provide a full documentation here you can find some information about the new figure introduced by this law: DPO .