• Spain
  • Germany
  • United States

What is a Record of Processing Activities? What should it include?

Share on linkedin
Share on email
Share on whatsapp
Share on facebook
Share on twitter

The new European General Data Protection Regulation (GDPR), which requires mandatory compliance from 25 May 2018 includes numerous obligations and novelties.

The new GDPR removes the obligation to notify the Spanish Data Protection Agency (AEPD) about the files. Instead, an obligation to maintain a Record of Processing Activities is established in certain cases.

What is a Record of Processing Activities? 

According to Sections 1 and 2 of Article 30 of GDPR:

  • Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.
  • Each processor and, where applicable, the processor’s representative, shall maintain a record of all categories of processing activities carried out on behalf of a controller.

What information should the Record of Processing Activities contain?

The Record of Processing Activities of the controller must contain the following information:

  • The name and contact details of the controller and where applicable, of the co-controller, of the representative of the controller and of the data protection officer.
  • The purposes of processing.
  • A description of categories of parties concerned and of the categories of personal data.
  • The categories of recipients to whom the personal data is communicated or will be communicated, including the recipients in third countries or international organizations.
  • Where applicable, the transfers of personal data to a third country or an international organization, including the identification of the said third country or international organization and in the case of mentioned transfers in the Article 49, section 1, second paragraph, the documentation with appropriate guarantees.  
  • Where possible, the deadlines set for the deletion of different categories of data.
  • Where possible, a general description of the technical and organizational security measures referred to in Article 32, section 1.

When is it necessary to maintain a Record of Processing Activities? In what format should it be?

Contact us if you have any doubts regarding the Record of Processing Activities and we will help you resolve them!

 

Share this article

Share

Share on linkedin
Share on email
Share on whatsapp
Share on facebook
Share on twitter
Haz clic aquí

Article written by

Pedro Simón

Doctor en Derecho con mención internacional, que cuenta con una amplia experiencia docente como profesor en diversas instituciones (UdG, UOC, UNIR, ICAB) y que ha investigado ampliamente sobre el derecho digital, es autor de publicaciones como El régimen constitucional del derecho al olvido digital y El reconocimiento del derecho al olvido digital en España y en la UE: Efectos tras la STJUE de 13 de mayo de 2014.

Newsletter

Would you like to receive regular updates on data protection and GDPR? Subscribe to our newsletter and you will be the first to receive our new blog articles, webinars and ebooks.

Related articles

Linkedin Twitter