• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
easy GDPR - we make compliance with GDPR easy

easyGDPR

We make implementing General Data Protection Regulation Easy

  • Home
  • Services
    • Software
      • easyGDPR Quickcheck
      • (DEP) easyGDPR lite
      • (DEP) easyGDPR Standard
      • Data Subject Requests
      • Sophos
    • IT Security
    • network checkup
    • SME digitization funding
    • Data protection consulting
      • Data protection
      • Cybersecurity
    • Training
      • Data protection
      • Cybersecurity
  • Partner
    • Resellerprogramm
    • Affiliate programm
  • GDPR
    • GDPR News
    • FAQ
    • GDPR Decisions
    • GDPR penalties
    • GDPR legal text
  • Shop
  • Contact
    • Contact
    • Newsletter registration
  • Login
    • Shop / Affiliate Program
    • easyGDPR Software
  • German
  • English

30. Records of processing activities

19/12/2016 by Andreas Schindler

« 29. Processing under the authority of the controller or processor31. Cooperation with the supervisory authority »

CHAPTER IV Controller and processor Section 1 General obligations

30. Records of processing activities

Each controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 and, where applicable, the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7’s representative‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation GDPR Article 4 Paragraph 17, shall maintain a record of processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 activities under its responsibility. That record shall contain all of the following information:
the name and contact details of the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 and, where applicable, the joint controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7, the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7’s representative‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation GDPR Article 4 Paragraph 17 and the data protection officer;
the purposes of the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2;
a description of the categories of data subjects and of the categories of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1  ;
the categories of recipient‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. GDPR Article 4 Paragraph 9s to whom the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   have been or will be disclosed including recipient‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. GDPR Article 4 Paragraph 9s in third countries or international organisation‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries GDPR Article 4 Paragraph 26s;
where applicable, transfers of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   to a third country or an international organisation‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries GDPR Article 4 Paragraph 26, including the identification of that third country or international organisation‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries GDPR Article 4 Paragraph 26 and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
where possible, the envisaged time limits for erasure of the different categories of data;
where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Each processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 and, where applicable, the processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8’s representative‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation GDPR Article 4 Paragraph 17 shall maintain a record of all categories of processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 activities carried out on behalf of a controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7, containing:
the name and contact details of the processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 or processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8s and of each controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 on behalf of which the processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 is acting, and, where applicable, of the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7’s or the processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8’s representative‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation GDPR Article 4 Paragraph 17, and the data protection officer;
the categories of processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 carried out on behalf of each controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7;
where applicable, transfers of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   to a third country or an international organisation‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries GDPR Article 4 Paragraph 26, including the identification of that third country or international organisation‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries GDPR Article 4 Paragraph 26 and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

The controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 or the processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 and, where applicable, the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7’s or the processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8’s representative‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation GDPR Article 4 Paragraph 17, shall make the record available to the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 on request.

The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity GDPR Article 4 Paragraph 18 or an organisation employing fewer than 250 persons unless the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 is not occasional, or the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 includes special categories of data as referred to in Article 9(1) or personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   relating to criminal convictions and offences referred to in Article 10.

Recitals

Recital 82

In order to demonstrate compliance with this Regulation, the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 or processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 should maintain records of processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 activities under its responsibility. Each controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 and processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 should be obliged to cooperate with the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 and make those records, on request, available to it, so that it might serve for monitoring those processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 operations.

Posts regarding this GDPR Paragraph:

  • As an employer, am I allowed to query the 3G status of my employees? 12/10/2021
  • Privacy policy and information obligations 05/11/2018

FAQs regarding this GDPR Article:

  • What exactly is a Record of Processing Activities (ROPA) and do I need one?
  • May I continue to maintain my acquisition database?

GDPR Fines based on this article

TitleGDPR CountryNumber of involved data recordsGDPR Fine
Data protection violations in the use of a service provider to test a driver assistance system at VolkswagenGermanyunknown1,100,000 €

Category iconUncategorized

Primary Sidebar

IT-Security Whitepaper Downloaden
  • German
  • English
  • Data Protection Statement
  • Terms and Conditions
  • Imprint
  • Licence terms for easyGDPR
  • GDPR terms
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept", you consent to the use of ALL the cookies.
SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non Necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

functionality

Diese Art von Cookies erhöht die Benutzerfreundlichkeit unserer Website. Beispielsweise wird darin die von Ihnen ausgewählte Sprache gespeichert. Auch die Verfügbarkeit von Videostreams und sonstigem Inhalt kann von diesen Cookies abhängig sein. Wenn Sie diese Cookies ablehnen, ist die Benutzerfreundlichkeit eingeschränkt.

Save & Accept