Search
  • EUPR

Article 30 Records

Updated: Nov 29, 2019

A key function of a GDPR EU Representative is to be able to respond to regulators, such as local European Data Protection Authorities, regarding your company's data processing activities. That is why Article 30 of the GDPR requires your company, either as a processor or controller, to keep these detailed records and also for your representative to have those records available.

For EUPR to represent you, we will need you to provide these records to us and to regularly update them.

Compiling these records will likely take some work. Your legal counsel or compliance consultant may assist in the preparation of these records. Please let us know if we can refer you to trusted data protection professionals who can assist in the preparation of these records.

The UK ICO has provided an example of an Article 30-compliant recordkeeping template:


Documentation template for controllers


Documentation template for processors

Your recordkeeping does not necessarily have to be in this format so long as it contains the following information --

For Controllers:

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representa­tive and the data protection officer;

(b) the purposes of the processing; (c) a description of the categories of data subjects and of the categories of personal data;

(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

(f) where possible, the envisaged time limits for erasure of the different categories of data;

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

For Processors:

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;

(b) the categories of processing carried out on behalf of each controller;

(c) where applicable, transfers of personal data to a third country or an international organisation, including the identifi­cation of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Reference: GDPR, Article 30 and Recital 80

Doesn't Article 30 have an exception for small businesses? No, if you otherwise need a representative.

You may have noticed or heard that Article 30, paragraph 5 contains an exception to these requirements for businesses with fewer than 250 employees. However, if you meet the criteria for an Article 30 exception, then you likely do not need a representative either given the exception in Article 27, paragraph 2 for "occasional" processing.

Therefore, if you believe you need a representative -- and we assume that since you are reading this, you believe or have been advised to have one -- then this exception would not apply. Note that this is not legal advice and only our interpretation of the law. Please confirm with your own legal counsel.

Relevant provisions of the GDPR:

Article 30 [Records of processing activities], paragraph 5:

The obligations referred to in paragraphs 1 [for controllers] and 2 [for processors] shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

Article 27 [Representatives of controllers or processors not established in the Union], paragraph 2:

The obligation laid down in paragraph 1 of this Article shall not apply to:

(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing

63 views

EUPR - EU Privacy Representatives (SM)

a service of:

Riga Tech Ventures SIA (limited liability company)

Headquarters /  Hauptniederlassung

Matīsa iela 61A-18

Rīga, LV-1009, Latvia

Reg. No.: LV40103785826

Berlin Branch (dependent) /

unselbständige Zweigstelle Berlin

House A, 1st Floor

Edisonstraße 63

12459 Berlin, Germany

© 2020 Riga Tech Ventures SIA.  All Rights Reserved.