Records of Data Processing – Article 30 of the GDPR

What is required by Article 30 of the GDPR?

The GDPR divides companies who touch personal data into two groups – data controllers and data processors. Data controllers, for example online retailers, decide what personal data will be collected from consumers – data like names, email addresses, or mobile phone numbers. Often, a data controller will engage third parties, like an e-commerce platform or email management program, to store the personal data or to process payment information or send order status information to the consumers. Those third parties – anyone other than the data controller who touches an end consumer’s personal information for any reason authorized by the data controller – are data processors.  If a company processes the information of EU consumers on behalf of a data controller, the GDPR applies, regardless of where the data controller or the data processor is located. 

Article 30 says that both data processors and data controllers must keep “records of processing activities” (“RoPA”) and make them available to GDPR government supervisors upon request. Understanding from the outset how data is being collected and for what purpose will help companies keep these records.

 What Kind of RoPA is required under Article 30?

For Controllers:

  1. the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  2. the purposes of the processing;
  3. a description of the categories of data subjects and of the categories of personal data;
  4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  5. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
  6. where possible, the envisaged time limits for erasure of the different categories of data;
  7. where possible, a general description of the technical and organisational security measures

For Processors

  1. the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
  2. the categories of processing carried out on behalf of each controller;
  3. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
  4. where possible, a general description of the technical and organisational security measures

When processing personal information, keeping good documentation of what information is being collected and how and why it is being processed will help companies comply with the recordkeeping requirements of Article 30 of the GDPR.  If a company has not been keeping good records up until now, a data inventory audit will be a good step to determine what information is being collected and why, where it is being stored, with whom it is being shared, and for how long it is kept.  Contact us for more assistance in preparing these Article 30 records.