Record of processing activities

By | Friday March 24th, 2017

Article 30 of Gdpr “Records of processing activities” obliges the controller and processor to maintain a records of processing Activities under its responsibility.

Specifically, that record shall contain all of the following information:

  • the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  • the purposes of the processing;
  • a description of the categories of data subject and the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
  • where applicable, transfer of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49 (1), the documentation oh suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organizational security measures referred to in Article 32.

It is a macro formality, very important for companies, precondition of a data management complies with the law.

The controller and the processor will have to comply by 24 May 2018, however, the obligations shall not apply enterprise or an organization employing fewer than 250 person unless the:

  1. processing it carries out is likely to result in a risk to the rights and freedoms of data subjects
  2. processing is not occasional, or the processing includes special categories of data as referred to in article 9 and to article 10.
Company with fewer than 250 people  

Case

Risky processing Frequency of processing risk

Occasional or not occasional /usual

Risky processing of special data (Art.9 and Art. 10) Obbligo tenuta registro
A YES  Not occasional  YES  YES
B YES  Not Occasional  YES  YES
C YES  Occasional  YES  YES
D YES  Occasional  No  No
E  NO ——————————

 

——————– NO

 

Therefore, the obligation to maintain records of processing is not applied, when the controller or the processor carry out a risky processing but occasional and the data involved not are  included in special categories within the organization with fewer than 250 people.

Unfortunately GDPR does not clarify when a treatment is occasional or when it constitutes aa risk for the rights and freedoms of data subjects and in the absence of official guidelines, directives I consider it appropriate the application of the principle of accountability!

Of course, a guideline would help.

Category: Legal framework

About cinziameucci

Junior Privacy & Legal Consultant presso Grant Change S.r.l. specializzata in servizi per le aziende. Specializzanda in Data Protection settore Finance, Marketing, Social, It e Compliance Aziendale.

2 thoughts on “Record of processing activities

  1. paolo calvi

    nell’attesa delle LG, a qualcuno risulta che i registri tenuti da titolari e quelli tenuti da responsabili (anche dallo stesso soggetto in veste di titolare e di responsabile nominato da altri titolari) debbano contenere le stesse informazioni , descritte in questo post? oppure è prevista qualche differenza?

  2. cinziameucci Post author

    Non risulta che ci siano differenze sostanziali.
    L’articolo 30 prevede che i punti sopra elencati b) c) e d) siano riferiti solo al registro del Titolare ma secondo me questi vengono riuniti al punto b) del paragrafo 2 dedicato al registro del Responsabile ovvero “categorie dei trattamenti effettuati per conto di ogni titolare del trattamento”.
    Stessa cosa per il punto f.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.