Skip to Content

GDPR - Records of processing activities - Records of Processing Activities for Controllers

354  Matthew Burdick September 27, 2022  Records of processing activities

Recital - 13.
Taking Account of Micro, Small and Medium-Sized Enterprises
Executive Summary
Controllers and processors with fewer than 250 employees may have reduced record keeping obligations.
Recital Text
In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States.The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organizations with fewer than 250 employees with regard to record-keeping.In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC¹.
 
Recital - 82.
Record of Processing Activities
Executive Summary
In addition to Data Inventory and Data Maps, Controllers and Processors are required to keep logs and records of what they have processed, when and why.
Recital Text
In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility.Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.
Executive Summary
That record shall contain all of the following information:

- The name and contact details of the controller/ joint controller;
- The controller's representative and the data protection officer;
- The purposes of the processing;
- Description of the categories of data subjects and personal data;
- Categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
- Any transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and documentation of suitable safeguards;
- The envisaged time limits for erasure of the different categories of data;
- A general description of the technical and organizational security measures referred to in Article 32.
Not Rated
Secure Code