Table of Contents
Article 30 of GDPR: Data processing record-keeping obligations
Article 30 of GDPR outlines the obligations of data controllers, data processors and their representatives to maintain a record of their data processing activities.
Controller record-keeping obligations (Article 30(1) GDPR)
Article 30(1) provides an enumeration of the data processing activities that data controllers and their representatives should keep.
The data processing activity records must demonstrate the following:
- Name and contact details of the controller, joint controllers, their representative and data protection officer (Article 30(1)(a) GDPR)
- The purpose of the data processing activities (Article 30(1)(b) GDPR)
- The different categories of personal data along with a description for each (Article 30(1)(c) GDPR)
- Category of recipients to whom personal data will be shared along with an indication of whether or not they are in third countries or if they are international organizations (Article 30(1)(d) GDPR)
- Indication if personal data is transferred to third countries along with documentation of suitable safeguards (Article 30(1)(e) GDPR)
- When the personal data will be erased where possible (Article 30(1)(f) GDPR)
- A description of technical and organisational security measures taken to protect personal data (Article 30(1)(g) GDPR)
Processor record-keeping obligations (Article 30(2) GDPR)
Article 30(2) provides an enumeration of the data processing activities that data processors and their representatives, done on behalf of the data controller, should keep.
The data processing activity records must demonstrate the following:
- Name and contact details of the data processor or processors, their representative, for which data controller they are acting, and data protection officer (Article 30(2)(a) GDPR)
- The different categories of personal data along with a description for each (Article 30(2)(b) GDPR)
- Indication if personal data is transferred to third countries along with documentation of suitable safeguards (Article 30(2)(c) GDPR)
- A description of technical and organisational security measures taken to protect personal data (Article 30(2)(d) GDPR)
Records to be kept in writing (Article 30(3) GDPR)
Data controllers and data processors along with their representatives must keep the required data processing activities in writing.
They have the ability to keep it in electronic form.
Records to be made available to the supervisory authority (Article 30(4) GDPR)
The controllers, processors and their representatives must make their data processing activity records available to the supervisory authority upon request.
Companies below 250 employees are exempt to keep records (Article 30(5) GDPR)
Companies employing less than 250 employees are exempt to keep detailed record of their data processing activities as required by Article 30 of GDPR.
However, even a small company will need to keep a detailed record of their data processing activities in the following conditions:
- Data processing is likely to result in a risk to individual rights and freedoms
- Data processing is not occasional
- Data processing includes special categories of data
- Data processing includes criminal convictions and offences
Recitals applicable to Article 30 of GDPR
Relevant Recitals: 13, 82
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 30 or relevant recitals
Commission Recommendation 2003/361/EC (5)
GDPR Text: Article 30 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)
