Records of Processing Activities
It is important that companies that process personal data belonging to EU citizens also keep records of processing activities. Records of processing activities contains information about where the processing of personal data takes place. Also information about the storage location, storage duration and much more.
How to write Records of Processing Activities in accordance with Article 30 GDPR
The Controller must write records of the processing activities in accordance with Article 30 GDPR. The record must contain information on how the company processes personal data. It can look different depending on each company. For example, it can be formulated in a Word document or in Excel.
The most important thing is that it is concise and that it provides a clear overview of the processing of personal data based on various aspects.
The purpose of Records of Processing Activities - Article 30 GDPR
According to the GDPR, the purpose of a register list is that it should be easy to get an overview and see how the business processes personal data and where the processing takes place. It must be a document with a collected and compiled information about the treatment. For example, the information may appear in tabular form, bars or similar brief summaries of the treatment. The person responsible for personal data is responsible for ensuring that such a list is drawn up.
The content of Records of Processing Activities
It shall contain information on where the processing of personal data takes place. For example, all storage locations can be specified in a table, as well as with information about which personal data is processed in each individual specific processing location, the number of categories of personal data, etc.
The record shall also contain a compiled list of all Personal Data Processors hired by the Personal Data Controller, who processes personal data on behalf of the Controller. Then the Processor’s company name, organization number and other contact information must appear. As well as information about where the processing takes place. For example, a processing can take place within the EU / EEA, or outside the EU /EEA in a so-called third country.
It must also be noted whether there is a Data Processing Agreement between the Controller and Processor.
The records of processing activities must also contain information on what measures the company has taken to ensure that the company complies with the GDPR in its processing of personal data. For example, a GAP analysis can be established. And notes regarding when the data protection policy was established, when it was last updated, and so on. The same applies to other internal routines, logbooks and other documents.
In summary, the purpose of records of processing activities is that a business should be able to quickly and easily look up the records, to find answers. Such as about any personal data processors, storage locations, types of categories that are processed, etc.
The Supervisory Authority can request to see the records of processing activities , internal routines and other agreements relevant to the GDPR.
News about GDPR and reviews from supervisory authorities
In addition to this information, you can also read our GDPR summary. And also about various news about the GDPR on this website. For example, audits carried out by Supervisory Authorities and sanction fees that they distribute. By learning from mistakes from others, it is possible to avoid making similar mistakes yourself. In addition, you can find information that is important and good to know as an entrepreneur as well as guides.
Summary of the GDPR for Companies, Entrepreneurs and Businesses
There is a lot of information about the GDPR that is important for companies, entrepreneurs and businesses to know about. We have therefore written a GDPR Summary and mention various key elements. Therefore, we are able to provide an overview of the GDPR, what it means and what companies must do to comply with the EU regulation.