GDPR Article 30 (Full Text) – Processing Recordkeeping
The full text of GDPR Article 30: Records of processing activities from the EU General Data Protection Regulation (adopted in May 2016 with an enforcement data of May 25, 2018) is below. This is the English version printed on April 6, 2016 before final adoption.
Article 30
Records of processing activities
1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
(a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
(f) where possible, the envisaged time limits for erasure of the different categories of data;
(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
2. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
(b) the categories of processing carried out on behalf of each controller;
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
4. The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.
5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
GDPR Article 29 (Previous) | GDPR Articles Index | GDPR Article 31 (Next)
Contact Clarip Today for Help with CCPA and GPDR
The Clarip team and data privacy software are prepared to help your organization improve its privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If your challenge right now is CCPA compliance for your California operations, allow us to show you our CCPA software. From consent management software to offer the option to opt-out of the sale of personal data, to a powerful DSAR Portal to facilitate the right to access and delete, Clarip offers enterprise privacy management at an affordable price.
If you are preparing your European operations for GDPR compliance, we can help through our modular GDPR software. Whether you are looking to start the process with GDPR data mapping software, increase automation in your privacy program with DPIA software, or handle ePrivacy with a cookie consent manager, Clarip has the privacy platform that you need to bolster your program.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.