GDPR Article 30 Compliance
Records of processing activities is a requirement that stems from Article 30 of the European General Data Protection Regulation (GDPR). As per Article 30 of the GDPR, controllers and processors have to maintain in writing (including in an electronic form) records of the processing activities unless they meet the exception criteria established in Article 30(5) GDPR.
Article 30 GDPR Requirements
Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organizational security measures referred to in Article 32(1).
Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, a general description of the technical and organizatioal security measures referred to in Article 32(1).
Document the records of the processing activities in DataGrail
Under the Inventory System Report Tab in your DataGrail platform, you'll have the ability to build your Data Processing Report to facilitate this Article 30 compliance.
You'll need to add relevant contact details as mentioned by Article 30(1) GDPR under your Data Processing Report.
Each system added under your Live Data Map -> System Inventory will then appear as a system report. If a system was already available within the DataGrail system list (i.e. not a ‘custom’ system), DataGrail populates reports based on common system configuration with the ability to edit/add/remove based on how the system is configured within your business practices. If the system is a 'custom' system, please contact DataGrail in order to have your report pre-populated. The report allows you to document all information requested under Article 30 GDPR.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.