The GDPR is a regulation that advocates complete transparency towards the data subjects. The controller and processor cannot hide any fact that might be essential to the rights and freedoms of the data subjects. Hence, another obligation that the controller and processor must be in compliance with is maintaining a record of all the processing activities that are conducted by them.
The controller and processor shall maintain a record of the following:
- Their name and contact details, their representative and the details of the data protection officer
- The purpose of processing
- The categories of data subjects and of the personal data
- The recipients in third countries who shall receive the personal data
- International transfers to a third country or an international organisation
- The appropriate measures taken to protect the data transferred
The above records are general in nature and common to the controller and processor. These records must be written including in an electronic format. On request, these records must be made available to the supervisory authority.
Exceptions:
The above obligations shall not be applicable to an organisation employing less than 250 persons provided-
- The data processed shall not pose a threat to the rights and freedoms of the data subjects
- The processing is occasional
- The data processed does not include special categories of data or personal data relating to criminal convictions and offences
Article 30 ensures that a meticulous record is maintained of all the processing activities by the controller and processor and also the needs of small enterprises are taken into consideration thereby balancing the rights of the data subjects as well as of the small businesses.
References: