Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα
Home Page Contact Ελληνικά
 

LOGO

Home Page / Information for data controllers / Record of activities

Record of activities

Record of processing activities

One of the changes envisaged in the Regulation, which is specifically aimed at simplifying compliance measures and reducing bureaucracy, is to review the duty of data controllers to submit a Notification on the commencement of a processing to the Data Protection Authorities.

In light of this, Article 30 of the Regulation requires controllers and processors to keep an internal record of processing activities. The record is made available to the Commissioner on request. It should not be submitted to the Commissioner unless requested. The record of activities must be kept electronically.

Who is obliged to keep Record of Processing Activities?

The obligation lies with organisations that operate as data controllers or data processors. The controller is the person who determines the purpose and the means of processing. It can be a natural or a legal person. For enterprises, the controller is usually the owner or the managing director. The processor is a person outside the organisation, to whom the controller assigns a processing operation, who acts on the instructions and on behalf of the controller.

For instance, if a company decides to come into contract with a cloud service provider, this contractor shall act as data processor. In the case where there are joint controllers, the record of activities should be kept by each of them, as per their particular involvement. If an organisation is based outside the European Union (EU) but offers goods or services to persons within the EU, or monitors their behaviour, then it is obliged to appoint a representative in the EU. In such a case, the representative of the organisation shall be responsible for keeping the record of activities.

If a company has an establishment in Cyprus or is a member of a group of companies, which has its main establishment in Cyprus, it is recommended that the Record is kept in cooperation with other companies of the group engaged in the same or similar activities.

Who is NOT obliged to keep Record of Processing Activities?

The obligation to keep a record of processing activities does not apply "to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10." (in line with article 30(5) of the GDPR).

However, it should be underlined that the wording of Article 30(5) is clear in providing that the three types of processing to which the derogation does not apply are alternative (“or”) and the occurrence of any one of them alone triggers the obligation to maintain the record of processing activities. Therefore, although endowed with less than 250 employees, data controllers or processors who find themselves in the position of either carrying out processing likely to result in a risk (not just a high risk) to the rights of the data subjects, or processing personal data on a non-occasional basis, or processing special categories of data under Article 9(1) or data relating to criminal convictions under Article 10 are still obliged to maintain the record of processing activities.

For example, a small organisation is likely to regularly process data regarding its employees. As a result, such processing cannot be considered “occasional” and must therefore be included in the record of processing activities.

Other processing activities which are indeed “occasional”, do not need to be included in the record of processing activities, provided they are unlikely to result in a risk to the right and freedoms of data subjects and do not involve special categories of data or personal data relating to criminal convictions and offences.

More information is available in the Position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR.

What is the usefulness of keeping a Record of Processing Activities?

Maintaining this Record serves multiple purposes -

  • it aims at answering questions such as who am I, what am I doing, how do I do it and why am I doing it. It is a tool of self-understanding and self-assessment.
  • it may serve in adopting a privacy policy, if an organisation is required to have one.
  • it helps an organisation conform to the Principles of Accountability and Transparency.
  • it can be used in formulating a policy or setting up mechanisms for exercise of data subjects’ rights.

Many organisations ask what they have to do in order to be in compliance with the Regulation and where to start from. The preparation of this Record is recommended as a first step. Proper and full completion of the relevant template will help the organisation to identify certain obligations stemming from the Regulation. Maintaining the Record of Processing Activities is not a static process. It is a continuous one, since the Record must be updated when an existing processing activity changes or a new one is initiated. Keeping this Record is recommended even to organisations that are not under such a legal obligation, since it is a useful compliance tool.

What information should be kept in the Record of Processing Activities?

That record should describe, at least, the following information:
  • the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
  • the purposes of the processing;
  • the legal basis of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Who is in charge of preparing the record?

The responsibility to maintain the Record lies, depending on the case, with the controller and the processor or their representatives, if any. However, they may delegate this task to one of their employees or to an external expert.

If the organisation is obliged to appoint a Data Protection Officer (DPO), it is recommended that the record is prepared by the DPO. In each case, the person undertaking this task must have a full picture of all the activities of the organisation. If he/she is an employee of the organisation, it is recommended that he/she is a high-ranking rather than low-ranking member, since he/she must be in continuous contact with the management and must have access to all the departments of the organisation, in order to record all the personal data processing activities. If the DPO is an external associate, the organisation must provide him/her with the necessary facilitation for the proper preparation of the record.

An administrative sanction or fine may be imposed to an organisation for not maintaining the Record. The fine is imposed to the organisation and not on the person in charge.

The person who is in charge of preparing the record does not necessarily have to be a lawyer or an IT. Nevertheless, she or he must have knowledge of the Regulation and all legislation that the organisation applies or are applicable in the organisations’ field of activity, and must also have , at least, an elementary IT knowledge.

In what language must the record be kept?

The record must be kept in Greek. However, it is recommended that the Table or at least column 12, is also kept in English by organisations that carry out cross-border processing operations or operate in several EU Member States, or provide information society services to children or provide information to data subjects through their website or have a mechanism available on their website for the exercise of the rights of data subjects. In each case, the information provided to the clients, associates or employees of an organisation must be transparent and intelligible, in easily accessible form, using clear and plain language.

Any other practical advice?

Some employees may feel by communicating information to their colleagues might compromise confidentiality. It is suggested that the person who undertakes the preparation of the Record has the ability to handle such issues.

Moreover, the person undertaking this task may need the assistance of organisation’s IT and legal consultants. It is suggested that the person who is in charge of the Record is able to convey technical issues to lawyers and legal issues to ITs respectively.

How to prepare the record of activities?

The Commissioner has developed a basic template in the form of a table (in Greek and English) to assist you in maintaining the record of activities properly. The Guide provides guidance and helps in completing the Table.




Κατεβάστε το αρχείο τύπου Excel Copy of Αρχείο Δραστηριοτήτων.xlsx

Κατεβάστε το αρχείο τύπου Acrobat Guide - Record of activities ENG.pdf

Κατεβάστε το αρχείο τύπου Acrobat PositionpaperArt30.pdf

Κατεβάστε το αρχείο τύπου Excel Record of Activities Template ENG.xlsx

2.pdf Guide - Record of activities ENG v1.2.pdf

Back To Top
File Attachment Icon
Guide - Record of activities ENG.pdf