menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Poland) language
Contact our local member in Poland mail_outline
Visit the website of GKR Legal account_balance

arrow_backPrevious Article
Article 30
Next Articlearrow_forward

Records of processing activities

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 30 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 30 keyboard_arrow_up

Articles related to article 30

Key words related to article 30

Show the recitals of the Regulation related to article 30 keyboard_arrow_down Hide the recitals of the Regulation related to article 30 keyboard_arrow_up

(82) In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

Show the recitals of the Directive related to article 30 keyboard_arrow_down Hide the recitals of the Directive related to article 30 keyboard_arrow_up

(25) Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances;

(48) Whereas the procedures for notifying the supervisory authority are designed to ensure disclosure of the purposes and main features of any processing operation for the purpose of verification that the operation is in accordance with the national measures taken under this Directive;

(49) Whereas, in order to avoid unsuitable administrative formalities, exemptions from the obligation to notify and simplification of the notification required may be provided for by Member States in cases where processing is unlikely adversely to affect the rights and freedoms of data subjects, provided that it is in accordance with a measure taken by a Member State specifying its limits; whereas exemption or simplification may similarly be provided for by Member States where a person appointed by the controller ensures that the processing carried out is not likely adversely to affect the rights and freedoms of data subjects; whereas such a data protection official, whether or not an employee of the controller, must be in a position to exercise his functions in complete independence;

(50) Whereas exemption or simplification could be provided for in cases of processing operations whose sole purpose is the keeping of a register intended, according to national law, to provide information to the public and open to consultation by the public or by any person demonstrating a legitimate interest;

(51) Whereas, nevertheless, simplification or exemption from the obligation to notify shall not release the controller from any of the other obligations resulting from this Directive;

(52) Whereas, in this context, ex post facto verification by the competent authorities must in general be considered a sufficient measure;

The GDPR

In assessing the Directive application, it was found out that the obligation of prior notification referred to in Articles 18 and 19 generated an administrative and financial charge, without actually improving the data protection.

The EU legislature has therefore decided to replace this obligation of notification by an obligation to the controllers and the processors, to maintain a record of processing activities under their responsibility.

Thus, both the controllers and the processors (and, if applicable, their representatives) will have to keep records for all categories of processing activities under their responsibility, that is, for each processing that they implement. These records must be made available to supervisory authorities on request.

These records should include the information listed in the Regulation, which vary according to whether this register is kept by a controller or a processor.

In addition to the information on the identification of the various participants (controllers, processors, but also joint controllers or data protection officers), there are for example the purposes of the processing, a description of the categories of data subjects and related personal data categories, the categories of recipients to which the personal data have been or will be provided, the time limits set for erasure of the different categories of data, a description of the security measures, etc.

The Regulation specifies that these registers must be in written form, including electronic, or any other non-readable form which can be converted into a readable form.

There is a single exception to the obligation to keep records intended for enterprises or organizations with less than 250 employees, unless the treatment they perform is likely to include a high risk in terms of the rights and freedoms of the data subjects, the processing is not occasional, or the processing involves sensitive data referred to in Article 9 (1) or data relating to convictions or criminal offences referred to in Article 10.

The Directive

Under the Directive, Article 16 (2) authorised the Member States to provide for two exceptions to the obligation to send a notification to the supervisory authority prior to the implementation of any processing:

- the first one covered the categories of processing that are not likely to infringe the rights and the freedoms of the data subjects, given the data to process and as long as they specify the purposes, the categories of processed data, the data subjects, the recipients and the period of storage;

- the second one aimed at the assumption where the controller has designated a seconded data protection officer charged, on the one hand, to ensure the compliance of the data protection legislation and on the other hand, to maintain records of the processing activities.

Potential issues

This cancellation of the obligation of prior notification may be interpreted from two points of view. 

From the point of view of the data subjects, this could appear to be a step backward. Indeed, the existing system allowed anybody to get informed about the purposes of the processing and its main features, without being necessary to apply to the controllers via the systems of public registers kept by the authorities, from the statements or prior notifications. But who was actually exercising this possibility?

From the point of view of the controllers, it is clear that the removal of the obligation of prior notification might seem to allow them to avoid significant costs and thus facilitates their life.

Nothing could be less sure.

The real workload stood upstream when it came to identify and maintain documentation of the processing that was subject to a declaration. However, this obligation is generalized in the new system since it concerns all the activity of processing (whereas before, many processing activities were exempted from declaration and were also often not documented internally in the controller’s organization). In addition, the obligation will apply to both the controllers and the processors, or even their representatives if such are to be designated.

arrow_back Previous ArticleArticle 30Next Article arrow_forward
arrow_back Previous ArticleArticle 30 Next Article arrow_forward
arrow_back Previous Article Article 30 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-60/22 (4 May 2023) - Bundesrepublik Deutschland

1.      Article 17(1)(d) and Article 18(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that failure by the controller to comply with the obligations laid down in Articles 26 and 30 of that regulation, which relate, respectively, to the conclusion of an arrangement determining joint responsibility for processing and to the maintenance of a record of processing activities, does not constitute unlawful processing conferring on the data subject a right to erasure or restriction of processing, where such a failure does not, as such, entail an infringement by the controller of the principle of ‘accountability’ as set out in Article 5(2) of that regulation, read in conjunction with Article 5(1)(a) and the first subparagraph of Article 6(1) thereof.

2.      EU law must be interpreted as meaning that, where the controller of personal data has failed to comply with its obligations under Articles 26 or 30 of Regulation 2016/679, the lawfulness of the taking into account of such data by a national court is not subject to the data subject’s consent.

Judgment of the Court 

Retour au sommaire Retour au sommaire
arrow_back Previous Article Article 30 Next Article arrow_forward
Regulation
1e 2e

Art. 30

1.   Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;

(b) the purposes of the processing;

(c) a description of the categories of data subjects and of the categories of personal data;

(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

(f) where possible, the envisaged time limits for erasure of the different categories of data;

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

2.   Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;

(b) the categories of processing carried out on behalf of each controller;

(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

3.   The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

4.   The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.

5.   The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

 

 
1st proposal close

Art. 28

1.           Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.

2.           The documentation shall contain at least the following information:

(a)     the name and contact details of the controller, or any joint controller or processor, and of the representative, if any;

(b)     the name and contact details of the data protection officer, if any;

(c)     the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);

(d)     a description of categories of data subjects and of the categories of personal data relating to them;

(e)     the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them;

(f)      where applicable, transfers of data to a third country or an international organisation, including the identification of that third country or international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards;

(g)     a general indication of the time limits for erasure of the different categories of data;

(h)     the description of the mechanisms referred to in Article 22(3).

3.           The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.

4.           The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors:

(a)     a natural person processing personal data without a commercial interest; or

(b)     an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities.

5.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.

6.           The Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
2nd proposal close

Art. 28

1.  Each controller (...) and, if any, the controller's representative, shall maintain a record  of all categories of personal data processing activities under its responsibility.

This record shall contain (...) the following information:

(a) the name and contact details of the controller and any joint controller (...), controller’s representative and data protection officer, if any;

(b) (...)

(c) the purposes of the processing, including the legitimate interest when the processing is based on Article 6(1)(f);

(d) a description of categories of data subjects and of the categories of personal data relating to them;

(e) the (...) categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries;

(f) where applicable, the categories of transfers of personal data to a third  country or an international organisation (...);

(g) where possible, the envisaged time limits for erasure of the different  categories of data.

(h) where possible, a general description of the technical and organisational security measures referred to in Article 30(1).

2a. Each processor shall maintain a record of all categories of personal data processing activities carried out on behalf of a controller, containing:

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and of the controller's representative, if any;

(b) the name and contact details of the data protection officer, if any;

(c) the categories of processing carried out on behalf of each controller;

(d) where applicable, the categories of transfers of personal data to a third  country or an international organisation;

(e) where possible, a general description of the technical and organisational security measures referred to in Article 30(1).

3a. The records referred to in paragraphs 1 and 2a shall be in writing, including in an electronic or other non-legible form which is capable of being converted into a legible form.

3. On request, the controller and the processor and, if any, the controller's representative, shall make the record available (...) to the supervisory authority.

4. The obligations referred to in paragraphs 1 and 2a shall not apply to:

(a)(...);

(b) an enterprise or a body employing fewer than 250 persons, unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as (...) discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage for the data subjects, taking into account the nature, scope, context and purposes of the processing. ;

5. (...)

6. (...)

 
Directive close

No specific provision
Poland
compare_arrows
visibility Old law

Starting from May 25, 2018 GDPR came into force and is fully aplicable in Poland. 

The Act on Protection of Personal Data of 29th August 1997 [unified text: Journal of Laws 2015, item 2135, 2281] is not in force since May 25, 2018. It was replaced by new regulation - The Act on Personal Data Protection of 10th May 2018, which implements GDPR in Poland. 

The Act on Personal Data Protection of 10th May 2018:

Article 2 [Exclusion of the application of certain provisions of Regulation 2016/679]

1. The provisions of Articles 5 to 9, Article 11, Articles 13 to 16, Articles 18 to 22, Article 27, Article 28(2) to (10), and Article 30 of Regulation 2016/679 shall not apply to activities consisting in the editing, preparation, creation or publication of press materials within the meaning of the Act of 26 January 1984 — Press Law (Journal of Laws of 2018, item 1914), as well as to statements made in the course of literary or artistic activity.

2. The provisions of Article 13, Article 15(3) and (4), Article 18, Article 27, Article 28(2) to (10), and Article 30 of Regulation 2016/679 shall not apply to academic expression.

Article 6a [Corresponding application of provisions]

1. To the processing of personal data in the exercise of the constitutional and statutory competences of the President of the Republic of Poland, insofar as it does not fall within national security, the provisions of Articles 4 to 7, Article 11, Article 12, Article 16, Article 17, Article 24(1) and (2), Article 25(1) and (2), Articles 28 to 30, Article 32, Article 34, Article 35, Articles 37 to 39, and Article 86 of Regulation 2016/679, as well as the provisions of Articles 6 and 11 of this Act, shall apply accordingly.

2. The processing of data referred to in Articles 9 and 10 of Regulation 2016/679 shall take place to the extent necessary for the performance of the constitutional and statutory competences of the President of the Republic of Poland, provided that the rights or freedoms of the data subject do not override the performance of the tasks arising from those competences. Articles 9 and 10 GDPR concern special categories of personal data and personal data relating to criminal convictions and offences, respectively. 
Old law close

In force until May 25, 2018:

The Act on Personal Data Protection

Art. 40

The controller shall be obliged to notify a data filing system to registration by the Inspector General, except for the cases referred to in Article 43 paragraphs 1 and 1a.

Art. 41

1. The notification, concerning the data filing system submitted to the registration, should contain the following:

1) an application for entering the personal data filing system into the register of filing systems,

2) specification of the controller and the address of its seat or place of residence, including identification number from the National Official Business Register if such a number was granted, as well as legal basis for maintaining the filing system and, in case of entrusting data processing to the entity referred to in Article 31, or appointing an entity referred to in Article 31a, the specification of such entity and the address of its seat or place of residence,

3) the purpose of the processing of data,

3a) description of the categories of data subjects and the scope of the processed data,

4) information on the ways and means of data collection and disclosure,

4a) information on the recipients or categories of recipients to whom the data may be transferred,

5) the description of technical and organizational measures applied for the purposes referred to in Article 36 to 39,

6) information on the ways and means of fulfilling technical and organizational conditions specified in the provisions referred to in Article 39a,

7) information relating to a possible data transfer to a third country.

2. The controller shall be obliged to notify the Inspector General of any change of the information referred to in paragraph 1, within 30 days of introducing such change in the data filing system, subject to paragraph 3.

3. If the change of information referred to in paragraph 1 point 3a is relative to broadening the scope of the data processed by the data referred to in Article 27 paragraph 1, the controller shall be obliged to notify it before making such change in the data filing system.

4. The provisions on data filing system registration shall apply accordingly to the notification of changes.

 

Art. 42

1. The Inspector General shall keep a national, open register of personal data filing systems. The register should contain the information referred to in Article 41 paragraph 1 point 1 – 4a and point 7.

2. The register referred to in paragraph 1 may be inspected by any person.

3. At the request, the controller may obtain the certificate of registration of data filing system notified by the controller, subject to the provisions of paragraph 4.

4. The Inspector General shall issue to the controller referred to in Article 27 paragraph 1 the certificate of registration of data filing system immediately after the registration.

Art. 46

1. The controller may, subject to the provision of paragraph 2, start the processing of data in the data filing system after notification of the system to the Inspector General, unless the controller is exempted from this obligation by virtue of the Act.

2. The controller of data referred to in Article 27 paragraph 1 may start the processing of these data in the data filing system after registration of the file, unless the controller is exempted from the obligation to submit the system for registration by virtue of the Act.
arrow_back Previous ArticleArticle 30 Next Article arrow_forward
close

2016 - www.itiplaw.eu.