Records of Processing Activities

Posted byGDPRsimple Leave a comment on Records of Processing Activities

Each controller and processor that employs 250 persons or more must maintain a written, including an electronic, record of processing activities (RoPA).  If the controller or processor employs fewer than 250 persons, it must maintain such a RoPA if the processing:

  • Carried out is likely to result in a risk to the rights and freedoms of individuals,
  • Is not occasional, or
  • Includes special categories of data or personal data relating to criminal convictions and offences.

The controller’s RoPA must contain all of the following information:

  • The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer (DPO);
  • The purposes of the processing;
  • A description of the categories of the individuals and of the categories of personal data;
  • The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
  • Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, where required in the case of transfers pursuant to a derogation, the documentation of suitable safeguards;
  • Where possible, the anticipated time limits for erasure of the different categories of data; and
  • Where possible, a general description of the technical and organizational security measures.

The processor’s RoPA carried out of behalf of a controller must contain all of the following information:

  • The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting and, where applicable, of the controller’s or the processor’s representative and the DPO;
  • The categories of processing carried out on behalf of each controller;
  • Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, where required in the case of transfers pursuant to a derogation, the documentation of suitable safeguards; and
  • Where possible, a general description of the technical and organizational security measures. 

Even if a RoPA isn’t required, it is a good idea to keep one; as the name describes, the RoPA helps both controllers and processors keep track of their processing activities.

This blog is the 33rd in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  International Transfers

Leave a comment

Your email address will not be published. Required fields are marked *