Records of processing activities
The Record of processing activities
The Record of processing activities introduced by the GDPR shall describe the framework of processing carried out, giving details on many characteristics and obligations relating to data processing operations. The Record of processing activities is a very useful means to support an analysis of the implications of any processing whether existing or planned. The Record facilitates the factual assessment of the risk of the processing activities performed by a controller or a processor on individuals’ rights, and the identification and implementation of appropriate security measures to safeguard personal data – both key components of the principle of accountability contained in the GDPR. It should be kept up to date.
The Record shall be in writing, including an electronic form. Both controllers and processors are obliged to draw up the Record of processing activities. The Record shall be made available to the supervisory authority on request.
The maintenance and updating of the Record of processing activities meet the principle of accountability which demands to take on responsibility for compliance of the GDPR in all its requirements.
There are also derogations from the obligation to maintain the Record of processing activities.
What the Records of processing activities should contain
The GDPR prescribes that controllers shall provide all of the following information:
2. the purposes of the processing
3. the categories of data and the categories of data subjects
4. the categories of the recipients to whom data have been or will be disclosed (including recipients in third countries or international organisations)
5. where applicable, transfers of personal data to third countries (with identification of the country) and the documentation of suitable safeguards for such transfers
6. the envisaged time limits for erasure of the different categories of data
7. a general description of the technical and organisational security measures.
If considered useful, additional information may be added to better describe the processing activities.
Processors shall maintain a Record of processing activities which is quite similar to what prescribed for controllers, with details which are, of course, related to the processing carried out on each specific controller’s behalf.
In order to facilitate this obligation to micro, small and medium-sized organisations, the supervisory authorities have made available examples – not compulsory – to draw up the Records of processing activities. The Italian supervisory authority has issued a downloadable template in PDF and Excel format (Italian version).