GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities?

GDPR Article 30 requires companies to keep an internal record, which contains the information of all personal data processing activities carried out by the company.

According to the General Data Protection Regulation (GDPR) Article 30, records of processing activities (RoPAs) must include significant information about data processing, including:

  • data categories,
  • the group of data subjects,
  • the purpose of the processing and
  • the data recipients.

This must be made available to authorities upon request.

Which companies are obliged to keep records of processing activities?

Each company who meets at least one of the following conditions has to keep a record of data processing activities: 

  • Processing personal data periodically (not occasionally). Meaning, if you have a website, or you have some customer who are periodically ordering goods or services from you, you are periodically processing personal data.
  • Having more than 250 employees. This requirement can be different per country.
  • Processing any amount of sensitive and private data (concerning health, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical belief, criminal records, etc.).

Also companies who carry out any of the following activities are obliged to keep the records: 

  • Evaluating work-related performance,
  • Monitoring individuals behavior, location and/or movements,
  • Providing insurance, investment, and financial services to private individuals,
  • Providing a loyalty schema (e.g. customer card) in a retail business,
  • Registering/collecting customer information,
  • Compiling the marketing profile of customers,
  • Providing rent services for recruitment or personnel,
  • Collecting people data related to gambling,
  • Collecting data related to children, the elderly, mentally ill persons,
  • Matching and combining personal data originated from various sources (big data),
  • Transmitting personal data outside the European Union (includes the cases the personal data is kept in servers located outside of EU).

How to store records of data processing activities?

It is important to know that all the records must be kept in an electronic form and be updated regularly. 

If your company is obliged to appoint a Data Protection Officer (DPO), then the DPO is responsible for keeping the records of processing activities. 

GOOD TO KNOW: 
There are several templates available at GDPR Register, which help to identify what information should be recorded about the data processing activities and how should it be structured. 

What exactly has to be documented?

If you are a data controller, according to GDPR Article 30 you are obliged to document the following:

  • Your company’s name and contact details.
  • If applicable, the name and contact details of Data Protection Officer.
  • The purposes of the processing – why you use personal data (customer management, employment, marketing, sales).
  • The categories of individuals (e.g. employees, customers). 
  • The categories of personal data you process (e.g. contact details, health data). 
  • The categories of recipients of personal data (e.g. collaboration partners, third parties, tax department, university).
  • If applicable, the name of any third countries or international organisations that you transfer personal data to.
  • If applicable, the safeguards in place for exceptional transfers of personal data to third countries or international organisations.
  • If possible, the retention schedules for the different categories of personal data.
  • If possible, a general description of your technical and organisational security measures (e.g. encryption, employee training, access restrictions to contracts and other personal data, anonymisation, etc).

Save up to 70% of your time by using GDPR Register for creating and maintaining you records of processing activities. You will get get well structured basis for all rest of your compliance documentation.

GDPR Register - Processing Activities

Save your time, get things done!

It's no risk 14-day trial. You will be able to see how our predefined template approach will save your time and bring clarity into your GDPR Article 30 register, you will be able to connect register of Data Processing Agreements and get use of other templates of our compliance package.
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? A personal data breach is security incident that results in the accidental or unlawful destruction, loss,...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR Article 30 requires companies to keep an...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

Why businesses need Data Processing Agreement (DPA)? It’s practically not possible to run a business without processing personal data and...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...

Zpracovává vaše společnost osobní údaje?


Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje

 

Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 


Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?


Kas teie ettevõte kogub ja töötleb isikuandmeid?


Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?


Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data