At a glance

  • As well as your obligation to provide comprehensive, clear and transparent privacy policies (see section on Individual rights), if your organisation has more than 250 employees, you must maintain additional internal records of your processing activities.
  • If your organisation has less than 250 employees you are required to maintain records of activities related to higher risk processing, such as:
    • processing personal data that could result in a risk to the rights and freedoms of individual; or
    • processing of special categories of data or criminal convictions and offences.

In brief

What do I need to record?

You must maintain internal records of processing activities. You must record the following information:

  • name and details of your organisation (and where applicable, of other controllers, your representative and data protection officer);
  • purposes of the processing;
  • description of the categories of individuals and categories of personal data;
  • categories of recipients of personal data;
  • details of transfers to third countries including documentation of the transfer mechanism safeguards in place;
  • retention schedules; and
  • description of technical and organisational security measures.

You may be required to make these records available to the relevant supervisory authority for purposes of an investigation.

In more detail – Article 29

The Article 29 Working Party includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

The Article 29 Working Party has published guidelines on lead supervisory authorities and FAQs on lead supervisory authorities. These are intended to assist in identifying which is the lead supervisory authority when a controller or processor is carrying out cross-border processing of personal data.