Who is obliged to keep records of processing activities?

The notification obligation under Directive 95/46/EC has been replaced by a recordkeeping obligation, which applies to both controllers and processors employing 250 people or more. Companies with fewer than 250 employees are not obliged to keep records, unless the processing they perform is likely to result in a risk to the rights and freedoms of data subjects, is not occasional or involves sensitive data.

Processing records must be made available to the competent supervisory authority upon request.

Even if you are not obliged to keep records, we recommend doing so nonetheless in order to have an overview of and better monitor your processing activities. The keeping of adequate records of all processing activities is indeed a cornerstone of any good GDPR compliance programme.

Content requirements

The records kept by controllers (or their representatives) of their processing activities must containing at least the following information:

  • the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;

  • the purposes of the processing;

  • a description of the categories of data subjects and the categories of personal data being processed;

  • the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries;

  • where applicable, an indication of any transfers of personal data to a third country, including the name of the third country, and the documentation of suitable safeguards (if applicable);

  • where possible, the envisaged time limits for erasure of the various categories of data being processed;

  • where possible, a general description of the applicable technical and organisational security measures.

Even though not required, we recommend including in the record the legal basis for the processing, in particular the legitimate interest, if applicable. Controllers must analyse this information in any case, as data subjects must always be informed of the legal basis for the processing of their personal data.

The records to be kept by processors of processing activities carried out on behalf of a controller must containing at least the following information:

  • the name and contact details of the processor or processors and of each controller on whose behalf the processor is acting and, where applicable, the controller's or processor's representative as well as the data protection officer;

  • the categories of processing carried out on behalf of each controller;

  • where applicable, an indication of any transfers of personal data to a third country, including the name of the third country, and the documentation of suitable safeguards (if applicable);

  • where possible, a general description of the technical and organisational security measures taken to protect the personal data.

The GDPR does not contain any guidelines on how these records should be structured, e.g. by purpose, database or business unit. In our opinion, much will depend on how processing is structured within your organisation.

Format requirements

The record must be in writing, including in electronic form. Depending on the size of your company and the extent of its processing activities, an Excel spreadsheet may suffice. Alternatively, you may wish to use one of the more sophisticated tools popping up on the market or create your own format.

To do's

  • Check whether you are obliged to keep records.
  • If so, create and keep the relevant records.
  • If not, consider keeping records in any case in order to keep track of your processing activities.
  • Put in place a procedure to regularly review and update your records.

Relevant provisions

- Recital 82

- Article 30