Records of processing activities
Who should maintain the Records of processing activities: the controller, the processor or the DPO?
The GDPR is very clear on this point: each controller shall maintain a Record of processing activities carried out under its responsibility. Besides, each processor shall maintain a Record of all the categories of processing activities carried out on behalf of a controller. However, nothing prevents the controller or the processor from assigning the DPO with the task of maintaining the Records of processing activities. The controller and the processor can surely seek advice of the DPO when accomplishing the obligation.
What format should the Records of processing activities have? Is there a standard model?
The Records of processing activities shall be kept in writing, in any format, including electronic format. The supervisory authorities can make available standard models, especially to facilitate this obligation to micro, small and medium-sized companies, organisations or entities, but they are not compulsory.
Should the Record of processing activities be published or sent to the supervisory authority?
It shall be kept by the controller and the processor and does not have to be published. It shall be made available to the supervisory authority on request.