Article 30

What is required by Article 30 of the GDPR?

If your company is handling personal data, you are required by the GDPR to keep and maintain an up-to-date record of your data processing activities.

The requirement of documentation applies both to the data controller and data processor. To find out if you are a controller or processor read more.

What does the controller have to document?

If you are a controller, you decide why and how personal data is processed. Controllers need to document the following:

  • Your organisation's name and contact details.
  • If applicable, the name and contact details of your data protection officer (DPO).
  • If applicable, the name and contact details of any joint controllers – joint controllers is any other organisation that decides jointly with you on how and why data is processed. It could also be third parties that processes user data for their own purposes, e.g. the Facebook like widget.
  • If applicable, the name and contact details of your representative – another organisation that represents you if you monitor or offer services to people in the EU.
  • The purposes of the processing – why you use personal data, e.g. customer management, marketing, recruitment.
  • The categories of individuals – the different types of people whose personal data is processed, e.g. employees, customers, members.
  • The categories of personal data you process – the different types of information you process about people, e.g. contact details, financial information, health data.
  • The categories of recipients of personal data – anyone you share personal data with, e.g. suppliers, credit reference agencies, government departments.
  • If applicable, the name of any third countries or international organisations that you transfer personal data to – any country or organisation outside the EU.
  • If applicable, the safeguards in place for transfers of personal data to third countries or international organisations.
  • If possible, the retention schedules for the different categories of personal data – how long you will keep the data for. This may be set by internal policies or based on industry guidelines, for instance.
  • If possible, a general description of your technical and organisational security measures – your safeguards for protecting personal data, e.g. encryption, access controls, training.

What do processors have to document?

If you are a processor for the personal data you process, you need to document the following:

  • Your organisation’s name and contact details.
  • If applicable, the name and contact details of your data protection officer (DPO).
  • The name and contact details of each controller on whose behalf you are acting.
  • If applicable, the name and contact details of your representative – another organisation that represents you if you offer services to people in the EU.
  • If applicable, the name and contact details of each controller’s representative – another organisation that represents the controller if they monitor or offer services to people in the EU.
  • The categories of processing you carry out on behalf of each controller – the types of things you do with the personal data, e.g. marketing, payroll processing, IT services.
  • If applicable, the name of any third countries or international organisations that you transfer personal data to – any country or organisation outside the EU.
  • If applicable, the safeguards in place for transfers of personal data to third countries or international organisations.
  • If possible, a general description of your technical and organisational security measures – your safeguards for protecting personal data, e.g. encryption, access controls, training.

The Openli Privacy Hub

As part of our privacy hub the Openli’s team of Privacy Success Managers will reach out to your data processors to collect all the relevant information you need in order for you to comply with the GDPR. When all available information has been collected from your data processors, the vendor profiles are made available for you to review. This makes it easy to seamlessly create and maintain your record of processing activities in accordance with the GDPR Article 30. You will be able to generate an updated Article 30 report based on your vendor information whenever it is needed and your dedicated Privacy Success Manager will reach out to your vendors every 6 months to ensure that the data is up to date.

Learn more about Privacy Hub →

Join our in-house legal & privacy community

Join one of the fastest growing legal communities in Europe. Learn, share, connect and meet inspiring legal professionals, leaders and experts all for free.
Openli community
Apply to join