Article 30
Records of processing activities
(25) Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances;
(48) Whereas the procedures for notifying the supervisory authority are designed to ensure disclosure of the purposes and main features of any processing operation for the purpose of verification that the operation is in accordance with the national measures taken under this Directive;
(49) Whereas, in order to avoid unsuitable administrative formalities, exemptions from the obligation to notify and simplification of the notification required may be provided for by Member States in cases where processing is unlikely adversely to affect the rights and freedoms of data subjects, provided that it is in accordance with a measure taken by a Member State specifying its limits; whereas exemption or simplification may similarly be provided for by Member States where a person appointed by the controller ensures that the processing carried out is not likely adversely to affect the rights and freedoms of data subjects; whereas such a data protection official, whether or not an employee of the controller, must be in a position to exercise his functions in complete independence;
(50) Whereas exemption or simplification could be provided for in cases of processing operations whose sole purpose is the keeping of a register intended, according to national law, to provide information to the public and open to consultation by the public or by any person demonstrating a legitimate interest;
(51) Whereas, nevertheless, simplification or exemption from the obligation to notify shall not release the controller from any of the other obligations resulting from this Directive;
(52) Whereas, in this context, ex post facto verification by the competent authorities must in general be considered a sufficient measure;
Regulation
Art. 30 1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: (a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer; (b) the purposes of the processing; (c) a description of the categories of data subjects and of the categories of personal data; (d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; (e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; (f) where possible, the envisaged time limits for erasure of the different categories of data; (g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1). 2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing: (a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer; (b) the categories of processing carried out on behalf of each controller; (c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; (d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1). 3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form. 4. The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request. 5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
|
Directive
No specific provision |
United Kingdom
No specific provision. |
Netherlands
Art. 28 WBP 1. De melding behelst een opgave van: a. de naam en het adres van de verantwoordelijke; b. het doel of de doeleinden van de verwerking; c. een beschrijving van de categorieën van betrokkenen en van de gegevens of categorieën van gegevens die daarop betrekking hebben; d. de ontvangers of categorieën van ontvangers aan wie de gegevens kunnen worden verstrekt; e. de voorgenomen doorgiften van gegevens naar landen buiten de Europese Unie; f. een algemene beschrijving om een voorlopig oordeel te kunnen geven over de gepastheid van de voorgenomen maatregelen om, ter toepassing van artikel 13 en 14, de beveiliging van de verwerking te waarborgen. 2. De melding behelst het doel of de doeleinden waarvoor de gegevens of de categorieën van gegevens zijn of worden verzameld. 3. Een wijziging in de naam of het adres van de verantwoordelijke wordt binnen een week gemeld. Wijzigingen in de opgave die betrekking hebben op de onderdelen b tot en met f van het eerste lid, worden telkens binnen een jaar na de voorafgaande melding gemeld voor zover zij blijken van meer dan incidentele aard te zijn. 4. Een verwerking die afwijkt van hetgeen overeenkomstig het eerste lid, onder b tot en met f, is gemeld, wordt vastgelegd en bewaard gedurende ten minste drie jaren. 5. Bij of krachtens algemene maatregel van bestuur kunnen nadere regels worden gesteld over de wijze waarop de melding dient te geschieden __________________________________________________________________________________________________ Section 28 1. The notification will include the following: a. the name and address of the controller; b. the purpose(s) of the processing; c. a description of the category or categories of data subjects and of the data or categories of data relating to them; d. the recipients or categories of recipients to whom the data might be disclosed; e. any proposed transfers of data to countries outside the European Union; f. a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken pursuant to Sections 13 and 14 to ensure the security of the processing. 2. The notification will include the purpose(s) for which the category or categories of data are or will be collected. 3. A change to the name or the address of the controller will be notified within one week. Any changes to the notification concerning subsection 1 (b) to (f) will be notified within one year of the previous notification in so far as they are more than incidental in nature. 4. Data processing which differs from what has been notified in accordance with subsection 1 (b) to (f) will be recorded and stored for at least three years. 5. Further rules may be issued by or pursuant to an order in council regarding the manner in which the notification should be made. |