Records of Processing Activities
A record of processing activities is a description of the organization's processing of personal data, which is maintained to demonstrate that data protection has been adequately ensured. The record must be in writing (almost without exception in electronic form) and must be provided to the supervisory authority upon request. The organization acting as a processor may also be obliged to provide the report, where applicable, to the entity on whose behalf it processes personal data.
A record of the processing activities must be made if the organization has more than 250 employees. In this case, the record must cover all processing operations.
A record of the processing activities must also be made regardless of the number of employees, if
The processing of personal data is likely to present a risk to the rights and freedoms of the data subject,
The processing of personal data is not occasional; or
The personal data processed contain special categories of data or personal data relating to criminal convictions and offences
The record must be updated regularly to keep it up to date. Even if there is no legal obligation to produce a processing record, producing and maintaining a record can be a good way of ensuring effective data protection management.
The content of the record depends partly on whether the organization is a controller or a processor. For each processing operation, the controller must describe, among other things:
The purposes of the processing
The categories of data subjects and the categories of personal data processed
The entities to which the data will be disclosed on a regular basis
The data retention periods
Technical and organizational safeguards
The processor should include in its record all controllers on whose behalf it processes the data.