The GDPR regulates in the article 30 the so-called ” RECORD OF PROCESSING ACTIVITIES” and establishes the Data Controller and Data Processor, will lead to register the treatment activities carried out under your responsibility.
The record is a document with inventory and analysis purposes, which must reflect the reality of your personal data processing. This record must contain the following information:
The name and contact details of the Data Controller and, where appropriate, the representative of the person in charge, and the data protection officer.
- The purposes of the treatment.
- A description of the categories of personal data (For example: identity, familial, economic and financial situation, banking data, connection data, localization data, etc).
- The categories of recipients to who personal data is communicated.
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation.
- When possible, the deletion of the different categories of data.
- When possible, a general description of the technical and organizational security measures.
The duty to maintain a record of processing concerns, all entities, both private and public, regardless of their size, provided they process personal data. The record must be held by controllers or processors themselves.
In case of Data Processors, he GDPR does not only require more responsibility from the controller, but it also requires more responsibility from the involved data processors. Therefore, this obligation is also applicable to processors. Each processor will have the responsibility to maintain records of all categories of processing activities carried out on behalf of a controller, containing:
- The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable and the data protection officer.
- The categories of processing carried out on behalf of each controller.
- Transfers of personal data to a third country or an international organisation, including the documentation of suitable safeguards.
- A general description of the applied technical and organisational security measures.