Information on UK GDPR article 30 on records of processing activities

Why?

These records of processing activities form part of the UK GDPR obligations whereby companies must capture, among other things, the categories of personal data being processed, and describe technical and organisational security measures to protect personal data.

These records of processing activities form part of the UK GDPR obligations whereby companies must capture, among other things, the categories of personal data being processed, and describe technical and organisational security measures to protect personal data.

• It is also a means of demonstrating UK GDPR accountability (Art. 5.2).
• It is also an enforcement tool for data protection authorities who may request this documentation (Recital 82).

Who?

Applies to data controllers and data processors subject to UK GDPR, (Art. 3(2) and where applicable, provided to their GDPR representative (Art. 30(4)).

When?

Applies to all UK GDPR covered entities except where less than 250 persons are employed. But this exception must be evaluated to ensure that their data processing is not likely to result in a high risk to the rights and freedoms of data subjects, and that their processing is only occasional, however, if they process sensitive personal data the exception is removed, and they will need to maintain a ROPA (Art. 30(5)).

What?

Detailed records must be maintained concerning processing of personal data of UK data subjects. The UK GDPR explains exactly what is required to be recorded by data controllers (Art. 30(1)) and by data processors (Art. 30(2)).

How?

In written form, including electronic form (Art. 30(3)). See ‘Tools’ for forms and additional resources prepared by data protection authorities and standards bodies.

If not?

Non-compliance may bring administrative fines of £8 700 000 or 2% of global annual turnover, whichever is higher (Art. 83(4)).

Tools & Implementation Guidelines

• UK ICO website – ‘How do we document our processing activities?’ including separate MS Excel templates for controllers and processors
• ISO/IEC 27701:2019 privacy information management, implementation clause 7.2.8

Article 30

Records of processing activities

1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

   a) The name and the contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;

   b) the purposes of the processing;

   c) a description of the categories of data subjects and of the categories of personal data;

   d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

   e) where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

   f) where possible, the envisaged time limits for erasure of the different categories of data;

   g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

2. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on the behalf of the controller, containing:

   a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;

   b) the categories of the processing carried out on behalf of each controller;

   c) where applicable, transfers of personal data to a third country or an international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

   d) where possible a general description of the technical and organisational security measures referred to in Article 32(1).

3. The records referred to in paragraphs 1 and 2 shall be in writing, including electronic form.
4. The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority request.
5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carried out is likely to result in a risk to the rights and freedoms of the data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

The information provided and the opinions expressed herein represent the views of Lionheart Squared Limited. They do not constitute legal advice and cannot be construed as offering comprehensive guidance Data Protection legislations or regulations or other statutory measures referred to in the course of consultation.