Processing Activity Record Information¶
Overview¶
As per the General Data Protection Regulation (GDPR) Article 30, it is required of a data processor to maintain a record of processing activities, which should be available for the national supervisory authority, Datatilsynet in Denmark, upon request. The purpose of this document is therefore to give an overview of the contents of the record, along with the requirements of maintaining it. The actual record is linked at the bottom, and it is based on the example of a processing activity record provided by the supervisory authority Datatilsynet.
Requirements and maintenance¶
There are several requirements by which such a record should comply, primarily including that the record should contain the following information.
- Name and contact information about the data responsible, and a representative and data protection consultant if relevant.
- Purpose of processing
- A description of categories of registered and categories of personal information
- The categories of recipients to whom the information is or will be disclosed, including recipients in third countries and international organizations
- Where applicable information on transfers to third countries or international organization(s) and documentation of appropriate guarantees when transfers are made on the basis of Article 49 (2) of the Regulation 1, second paragraph
- If possible, the expected deadlines for deleting the various categories of information
- If possible, a general description of technical and organizational security measures
Further, it is required that this record is continuously updated to reflect current state of both the project, such as the system, and the entities responsible for it, such as the data controller and processer. Examples of when it would be appropriate to update the record, would be if either the processing activities changed, which could be due to an update to the system to add functionality, or if the parties detailed in the record has changed, which could be due to possible organisational changes or the acquirement of 3rd party assistance that might grant access to the described personal information, e.g. cloud provider tools, logging tools or technical support tools.
The processing activity record¶
The record itself is provided in a separate document.