The General Data Protection Regulation (GDPR) of the European Union sets out obligations for controllers on keeping records of data processing activities. Records of processing activities are documents compiled and kept up-to-date by controllers that contain the processing activities performed by such controllers under their responsibility – in order to prove compliance with GDPR (accountability principle). In this article we summarise the key issues related to maintaining records of processing activities.
Exemption from obligation to keep records of processing activities – only a narrow range of micro, small- and medium-sized enterprises are exempt
Only controllers employing fewer than 250 people are exempt from the obligation to maintain records of data processing activities. However, this exemption is not applicable if
- the processing performed by the controller is likely to pose a risk to the rights and freedoms of the data subjects (e.g. camera surveillance),
- the processing is not occasional (e.g. payroll, sending of regular newsletters),
- processing includes special categories of personal data (e.g. personal data referring to religion or philosophical beliefs, trade union memberships) or personal data related to criminal convictions and offences.
So if any of the exemptions listed above are applicable, controllers employing fewer than 250 people are also obliged to maintain records of the relevant processing activity.
Mandatory content for records of data processing activities
The GDPR defines the mandatory content for records of processing activities precisely. Records of processing activities shall contain at least the following:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49 (1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32 (1).
Formal requirements regarding the records of processing activities
Records of processing activities shall be kept in writing, either in paper or electronic format (e.g. xls file). There are no requirements in the GDPR about the language used for records of processing activities. If there are no special circumstances justifying the maintenance of the records in a foreign language, it is recommended to keep the records in Hungarian. It is also recommended to include the documents available for the specific processing operations as well as where they are available (e.g. data processing contracts, interest assessment tests, certifications).
Amendments should be traceable
Records of processing activities are prepared as a result of screening the controller’s processes related to the processing activity. However, it is important to note that controllers must keep the records up-to-date. Consequently, a controller must transfer any interim changes – initiation of a new processing activity, termination or modification of existing processing activities (e.g. extending scope of data subjects, changes in purpose of processing) to the records of processing activities. The records must explicitly show the date when the specific modifications (erasures) were transferred.
A controller may receive an administrative fine if it fails to comply with its obligations related to maintaining records of processing activities – which means it does not or does not appropriately maintain the records, or refuses to hand such over to the supervisory authority upon request.
If you are interested in checking whether your company’s data management practices meet the GDPR requirements, please contact us and we will review your current practices in a data protection due diligence.
dr. Ildikó Szopkóné Horváth