Documentation and records of processing (Article 30)
The GDPR abolished the Directive's notify/register requirement: controllers no longer file processing activities with a DPA. Instead they must keep detailed records of processing under Article 30, in writing (including electronic), made available to the DPA on request. (Note: the UK still requires ICO registration and an annual fee.) Both controllers and processors keep records, with different required contents. Article 31 obliges controllers and processors to cooperate with the DPA on request.
Under the Directive, companies had to notify or register intended processing with each national DPA - cumbersome for multinationals, and in some states failure to do so was a criminal offence. The GDPR abolished this. Controllers instead keep records of processing under Article 30, in writing (including electronic form), made available to the DPA on request rather than filed in advance. Exception: the UK still requires ICO registration and an annual fee.
| Controller must record | Processor must record |
|---|---|
| Controller's name/contact; any joint controller, representative, DPO | Processor's name/contact; representatives and DPOs |
| Purposes of the processing | Name/contact of each controller it acts for (and their reps/DPOs) |
| Categories of data subjects and personal data | Categories of processing carried out for each controller |
| Categories of recipients (incl. third countries / international orgs) | Where applicable, transfers to third countries (+ identification and safeguards) |
| Where applicable, third-country transfers (+ safeguards) | Where possible, general description of technical/organisational security measures |
| Where possible, retention/erasure periods per category | - |
| Where possible, general description of technical/organisational security measures | - |
Article 31 is the general requirement for all companies (both controllers and processors) and their representatives to cooperate with the DPA on request in performing its tasks.