UPDATED Novembre 19, 2019
Article 30 GDPR requires each controller and each processor to maintain a record of processing activities under its responsibility which must be in writing (including electronic form). Article 30 details the minimum content of the record.
Some DPA made available model forms and notes for keeping records of processing activities:
- the BayLDA, the Bavarian DPA for the controller and for the processor;
- the ICO, the UK Information Commissioner’s Officer, see here;
- the AEPD, the Spanish DPA, see Annexes IV and V, p. 38 and 39 and a description on how to fill them out in p. 20-23;
- the CNIL, the French DPA, created a toolkit detailing six steps to comply and a template for the Register of processing operations and a template for data breach notifications, both in French.
- the Italian DPA, created a guidance and a form.
- the Dutch DPA issues 5 recommendations.
- The Polish DPA published a PDF with Tips and clarifications regarding the obligation of art. 30 paragraph 1 and 2 GDPR (in Polish)
- The Swedish DPA published a Records of processing activities under Swedish data protection law (here in Swedish)
Attention: the list might not be complete.
For more information on processing EU residents’ data, contact Francesca Giannoni-Crystal and Federica Romanelli
Follow us on& Like us on