IAPP Training · Module 10 - BoK IV.B
Module 10 · Records of processing (Article 30)
Records of processing (Article 30) apply to organisations with 250+ employees, OR - regardless of size - where processing is likely to result in a risk, is not occasional, or includes special-category / criminal-conviction data, so they reach many small organisations too. Controller records and processor records overlap but differ: only the controller's records list the purposes of processing and the categories of data subjects and recipients.
- Applies to organisations with 250+ employees, OR regardless of size where processing is likely to result in a risk, is not occasional, or includes special-category / criminal-conviction data.
- Result: Article 30 reaches many small organisations too.
| Element | Controller records | Processor records |
|---|---|---|
| Name/contact of the entity and DPO | Yes (controller + DPO) | Yes (processor, controller + DPO) |
| Purposes of processing | Yes | No |
| Categories of data subjects, personal data and recipients | Yes | No (instead: categories of processing for the controller) |
| Categories of processing carried out for the controller | No | Yes |
| International transfers and safeguards | Yes | Yes |
| Retention periods | Yes | No |
| General description of security measures | Yes | Yes |
Burn-in distinction
The exam favourite: purposes of processing appear in the controller's records but NOT the processor's. International transfers and a general description of security measures appear in both.
Key terms - quick answers
What is “Records of processing”?
Article 30 written inventory of processing activities, kept by controllers and processors subject to thresholds.