Home Privacy Law GDPR Article 30 GDPR (Records of Processing Activities)

Article 30 GDPR (Records of Processing Activities)

Article 30 of GDPR: Data processing record-keeping obligations

Article 30 of GDPR outlines the obligations of data controllers, data processors and their representatives to maintain a record of their data processing activities.

Controller record-keeping obligations (Article 30(1) GDPR)

Article 30(1) provides an enumeration of the data processing activities that data controllers and their representatives should keep.

The data processing activity records must demonstrate the following:

  1. Name and contact details of the controller, joint controllers, their representative and data protection officer (Article 30(1)(a) GDPR)
  2. The purpose of the data processing activities (Article 30(1)(b) GDPR)
  3. The different categories of personal data along with a description for each (Article 30(1)(c) GDPR)
  4. Category of recipients to whom personal data will be shared along with an indication of whether or not they are in third countries or if they are international organizations (Article 30(1)(d) GDPR)
  5. Indication if personal data is transferred to third countries along with documentation of suitable safeguards (Article 30(1)(e) GDPR)
  6. When the personal data will be erased where possible (Article 30(1)(f) GDPR)
  7. A description of technical and organisational security measures taken to protect personal data (Article 30(1)(g) GDPR)

Processor record-keeping obligations (Article 30(2) GDPR)

Article 30(2) provides an enumeration of the data processing activities that data processors and their representatives, done on behalf of the data controller, should keep.

The data processing activity records must demonstrate the following:

  1. Name and contact details of the data processor or processors, their representative, for which data controller they are acting, and data protection officer (Article 30(2)(a) GDPR)
  2. The different categories of personal data along with a description for each (Article 30(2)(b) GDPR)
  3. Indication if personal data is transferred to third countries along with documentation of suitable safeguards (Article 30(2)(c) GDPR)
  4. A description of technical and organisational security measures taken to protect personal data (Article 30(2)(d) GDPR)

Records to be kept in writing (Article 30(3) GDPR)

Data controllers and data processors along with their representatives must keep the required data processing activities in writing.

They have the ability to keep it in electronic form.

Records to be made available to the supervisory authority (Article 30(4) GDPR)

The controllers, processors and their representatives must make their data processing activity records available to the supervisory authority upon request.

Companies below 250 employees are exempt to keep records (Article 30(5) GDPR)

Companies employing less than 250 employees are exempt to keep detailed record of their data processing activities as required by Article 30 of GDPR.

However, even a small company will need to keep a detailed record of their data processing activities in the following conditions:

  1. Data processing is likely to result in a risk to individual rights and freedoms
  2. Data processing is not occasional
  3. Data processing includes special categories of data
  4. Data processing includes criminal convictions and offences 

Recitals applicable to Article 30 of GDPR

Relevant Recitals: 13, 82

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation in Article 30 or relevant recitals

Commission Recommendation 2003/361/EC (5)

GDPR Text: Article 30 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)

Editorial Staff
Hello Nation! I'm a lawyer by trade and an entrepreneur by spirit. I specialize in law, business, marketing, and technology (and love it!). I'm an expert SEO and content marketer where I deeply enjoy writing content in highly competitive fields. On this blog, I share my experiences, knowledge, and provide you with golden nuggets of useful information. Enjoy!

Most Popular

What Is A Special Purpose Entity (All You Need To Know)

What Is A Special Purpose Entity (Explained: All You Need To Know)

What Is Corporate Raiding (Explained: All You Need To Know)

What Is Corporate Raiding (Explained: All You Need To Know)

What Are Golden Shares (Explained: All You Need To Know)

What Are Golden Shares (Explained: All You Need To Know)

What Is A Targeted Repurchase (Explained: All You Need To Know)

What Is A Targeted Repurchase (Explained: All You Need To Know)

What Is A Friendly Takeover (Explained: All You Need To Know)

What Is A Friendly Takeover (Explained: All You Need To Know)

Editor's Picks

Board of Directors Meeting (Ultimate Guide)

Board of Directors Meeting (Ultimate Guide)

Which of The Following Is An Example of An Automatic Stabilizer?

Which of The Following Is An Example of An Automatic Stabilizer?

Which of The Following Is Not An Advantage of Issuing Bonds Instead of Common Stock? (Answer)

Which of The Following Is Not An Advantage of Issuing Bonds Instead of Common Stock? (Answer)

Factoring Agreement (What It Is And All You Must Know)

Factoring Agreement (What It Is And All You Must Know)

Which One of The Following Parties Has Ultimate Control of a Corporation?

Which One of The Following Parties Has Ultimate Control of a Corporation?