Records of processing can be kept in written or electronic form[1]. So expect to either fill in an organization-specific form or enter your information into some (data protection) management system.
To provide an initial idea, the minimal content of the records of processing for controllers includes the following items[2]:
- the name and contact details of the controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed;
- where applicable, transfers of personal data to a third country (see “Transfer of data to third countries” in the “Actions and Tools Section of the General Part of these Guidelines”) together with the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data (see “Storage limitation” in the “Main Principles” Section of the General Part of these Guidelines”);
- where possible, a general description of the technical and organizational security measures (see “Integrity and confidentiality” in the “Main Principles” Section of the General Part of these Guidelines”);.
Your organization may use a different set of items since on one hand, it already is in possession of some of this information (such as the first bullet), and on the other hand, it may require additional information (such as the contact of the person responsible for the single processing activity at hand). It is possible that the legally required record keeping is combined with the management needs of the organization, such as an internal inventory of computing and computing resources.
Your organization may also use multiple systems, e.g. depending on whether it is acting as a controller or as a processor; or distinguishing between permanent data processing activities (such as communication systems and accounting) and temporary ones (such as those linked to temporary projects or assignments). The creation and maintenance of records across multiple systems is not prohibited under the GDPR.
Should you have difficulties in providing the requested information, your data protection officer (if your organization has one) may be able to help.
Checklist (records of processing)
|
References
1See Art. 30(3) GDPR. ↑
2See Art. 30(1) GDPR for more detail. ↑