UK GDPR: Records of Processing Activities (Article 30)
Records of Processing Activities [Art 30]
Rule: Controllers and processors must maintain written records of processing activities.
Who must keep records? [Art 30(5)]
| Organisation | Required? | Citation |
|---|---|---|
| 250+ employees | Yes | Art 30(5) |
| Fewer than 250 employees BUT: | ||
| - Processing likely to result in risk | Yes | Art 30(5) |
| - Processing is not occasional | Yes | Art 30(5) |
| - Processing includes special category data | Yes | Art 30(5) |
| - Processing includes criminal conviction data | Yes | Art 30(5) |
Practical note: ICO advises most organisations should keep records regardless of size.
Controller’s record must contain [Art 30(1)]
| Information | Details | Citation |
|---|---|---|
| Controller details | Name, contact details, joint controllers, representative, DPO | Art 30(1)(a) |
| Purposes | Purposes of processing | Art 30(1)(b) |
| Categories of data subjects | e.g., customers, employees, website visitors | Art 30(1)(c) |
| Categories of personal data | e.g., contact details, financial info | Art 30(1)(c) |
| Categories of recipients | Including in third countries | Art 30(1)(d) |
| International transfers | Third country, safeguards documentation | Art 30(1)(e) |
| Retention periods | Time limits for erasure (where possible) | Art 30(1)(f) |
| Security measures | Description of technical/organisational measures | Art 30(1)(g) |
Processor’s record must contain [Art 30(2)]
| Information | Details | Citation |
|---|---|---|
| Processor details | Name, contact details | Art 30(2)(a) |
| Controller details | Each controller you process for | Art 30(2)(a) |
| Categories of processing | What you do for each controller | Art 30(2)(b) |
| International transfers | Third country, safeguards documentation | Art 30(2)(c) |
| Security measures | Description of technical/organisational measures | Art 30(2)(d) |
Format and availability [Art 30(3-4)]
| Requirement | Details | Citation |
|---|---|---|
| Written form | Including electronic | Art 30(3) |
| Available to ICO | On request | Art 30(4) |
Source Text
Article 30(1): Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
(a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
(e) where applicable, transfers of personal data to a third country or an international organisation…
(f) where possible, the envisaged time limits for erasure of the different categories of data;
(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
Article 30(5): The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.