Article 30
Records of processing activities

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 30 keyboard_arrow_down Hide the recitals of the Regulation related to article 30 keyboard_arrow_up

(82) In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

Show the recitals of the Directive related to article 30 keyboard_arrow_down Hide the recitals of the Directive related to article 30 keyboard_arrow_up

(25) Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances;

(48) Whereas the procedures for notifying the supervisory authority are designed to ensure disclosure of the purposes and main features of any processing operation for the purpose of verification that the operation is in accordance with the national measures taken under this Directive;

(49) Whereas, in order to avoid unsuitable administrative formalities, exemptions from the obligation to notify and simplification of the notification required may be provided for by Member States in cases where processing is unlikely adversely to affect the rights and freedoms of data subjects, provided that it is in accordance with a measure taken by a Member State specifying its limits; whereas exemption or simplification may similarly be provided for by Member States where a person appointed by the controller ensures that the processing carried out is not likely adversely to affect the rights and freedoms of data subjects; whereas such a data protection official, whether or not an employee of the controller, must be in a position to exercise his functions in complete independence;

(50) Whereas exemption or simplification could be provided for in cases of processing operations whose sole purpose is the keeping of a register intended, according to national law, to provide information to the public and open to consultation by the public or by any person demonstrating a legitimate interest;

(51) Whereas, nevertheless, simplification or exemption from the obligation to notify shall not release the controller from any of the other obligations resulting from this Directive;

(52) Whereas, in this context, ex post facto verification by the competent authorities must in general be considered a sufficient measure;

The GDPR

In assessing the Directive application, it was found out that the obligation of prior notification referred to in Articles 18 and 19 generated an administrative and financial charge, without actually improving the data protection.

The EU legislature has therefore decided to replace this obligation of notification by an obligation to the controllers and the processors, to maintain a record of processing activities under their responsibility.

Thus, both the controllers and the processors (and, if applicable, their representatives) will have to keep records for all categories of processing activities under their responsibility, that is, for each processing that they implement. These records must be made available to supervisory authorities on request.

These records should include the information listed in the Regulation, which vary according to whether this register is kept by a controller or a processor.

In addition to the information on the identification of the various participants (controllers, processors, but also joint controllers or data protection officers), there are for example the purposes of the processing, a description of the categories of data subjects and related personal data categories, the categories of recipients to which the personal data have been or will be provided, the time limits set for erasure of the different categories of data, a description of the security measures, etc.

The Regulation specifies that these registers must be in written form, including electronic, or any other non-readable form which can be converted into a readable form.

There is a single exception to the obligation to keep records intended for enterprises or organizations with less than 250 employees, unless the treatment they perform is likely to include a high risk in terms of the rights and freedoms of the data subjects, the processing is not occasional, or the processing involves sensitive data referred to in Article 9 (1) or data relating to convictions or criminal offences referred to in Article 10.

The Directive

Under the Directive, Article 16 (2) authorised the Member States to provide for two exceptions to the obligation to send a notification to the supervisory authority prior to the implementation of any processing:

- the first one covered the categories of processing that are not likely to infringe the rights and the freedoms of the data subjects, given the data to process and as long as they specify the purposes, the categories of processed data, the data subjects, the recipients and the period of storage;

- the second one aimed at the assumption where the controller has designated a seconded data protection officer charged, on the one hand, to ensure the compliance of the data protection legislation and on the other hand, to maintain records of the processing activities.

Potential issues

This cancellation of the obligation of prior notification may be interpreted from two points of view. 

From the point of view of the data subjects, this could appear to be a step backward. Indeed, the existing system allowed anybody to get informed about the purposes of the processing and its main features, without being necessary to apply to the controllers via the systems of public registers kept by the authorities, from the statements or prior notifications. But who was actually exercising this possibility?

From the point of view of the controllers, it is clear that the removal of the obligation of prior notification might seem to allow them to avoid significant costs and thus facilitates their life.

Nothing could be less sure.

The real workload stood upstream when it came to identify and maintain documentation of the processing that was subject to a declaration. However, this obligation is generalized in the new system since it concerns all the activity of processing (whereas before, many processing activities were exempted from declaration and were also often not documented internally in the controller’s organization). In addition, the obligation will apply to both the controllers and the processors, or even their representatives if such are to be designated.

Regulation
1e 2e

Art. 30

1.   Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;

(b) the purposes of the processing;

(c) a description of the categories of data subjects and of the categories of personal data;

(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

(f) where possible, the envisaged time limits for erasure of the different categories of data;

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

2.   Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;

(b) the categories of processing carried out on behalf of each controller;

(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

3.   The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

4.   The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.

5.   The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

 

 

1st proposal close

Art. 28

1.           Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.

2.           The documentation shall contain at least the following information:

(a)     the name and contact details of the controller, or any joint controller or processor, and of the representative, if any;

(b)     the name and contact details of the data protection officer, if any;

(c)     the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);

(d)     a description of categories of data subjects and of the categories of personal data relating to them;

(e)     the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them;

(f)      where applicable, transfers of data to a third country or an international organisation, including the identification of that third country or international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards;

(g)     a general indication of the time limits for erasure of the different categories of data;

(h)     the description of the mechanisms referred to in Article 22(3).

3.           The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.

4.           The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors:

(a)     a natural person processing personal data without a commercial interest; or

(b)     an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities.

5.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.

6.           The Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

2nd proposal close

Art. 28

1.  Each controller (...) and, if any, the controller's representative, shall maintain a record  of all categories of personal data processing activities under its responsibility.

This record shall contain (...) the following information:

(a) the name and contact details of the controller and any joint controller (...), controller’s representative and data protection officer, if any;

(b) (...)

(c) the purposes of the processing, including the legitimate interest when the processing is based on Article 6(1)(f);

(d) a description of categories of data subjects and of the categories of personal data relating to them;

(e) the (...) categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries;

(f) where applicable, the categories of transfers of personal data to a third  country or an international organisation (...);

(g) where possible, the envisaged time limits for erasure of the different  categories of data.

(h) where possible, a general description of the technical and organisational security measures referred to in Article 30(1).

2a. Each processor shall maintain a record of all categories of personal data processing activities carried out on behalf of a controller, containing:

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and of the controller's representative, if any;

(b) the name and contact details of the data protection officer, if any;

(c) the categories of processing carried out on behalf of each controller;

(d) where applicable, the categories of transfers of personal data to a third  country or an international organisation;

(e) where possible, a general description of the technical and organisational security measures referred to in Article 30(1).

3a. The records referred to in paragraphs 1 and 2a shall be in writing, including in an electronic or other non-legible form which is capable of being converted into a legible form.

3. On request, the controller and the processor and, if any, the controller's representative, shall make the record available (...) to the supervisory authority.

4. The obligations referred to in paragraphs 1 and 2a shall not apply to:

(a)(...);

(b) an enterprise or a body employing fewer than 250 persons, unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as (...) discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage for the data subjects, taking into account the nature, scope, context and purposes of the processing. ;

5. (...)

6. (...)

 

Directive close

No specific provision

All of the following in force until May 25, 2018:


Publicity of Data Applications

Data Processing Register

§ 16 DSG 2000

(1) The Data Protection Authority shall operate a register of controllers and their data applications for the purpose information of the data subjects.

(2) Any person may inspect the register. Access to the registration file including the licences contained therein shall be granted if the person applying for inspection can satisfactorily demonstrate that he is a data subject, and as far as no overriding interest in secrecy on part of the controller deserving protection is an obstacle to access.

(3) The Federal Chancellor shall lay down more specific regulations about the management of the register in an ordinance. This is to be done with due regard to the correctness and completeness of the register, the clarity and expressiveness of the entries and the ease of access.


Duty of the Controller to Notify

§ 17 DSG 2000

(1) Every controller shall, unless provided for otherwise in paras. 2 and 3, before commencing a data application, file a notification whose contents are laid down in § 19 with the Data Protection Authority for the purpose of registration in the Data Processing Register. The duty to notify also applies to all circumstances that subsequently lead to the incorrectness or incompleteness of the notification (notification of change). Such duty of notification applies to manual filing systems only to the extent its contents match at least one of the elements of § 18 para 2 sub-para. 1 to 3.

(1a) The notification is to be filed electronically through a web application to be provided by the Federal Chancellor. Identification and authentication can be performed by using the citizen´s card (§ 2 para 10 of the E Government Act, Federal Law Gazette I No. 10/2004). Detailed instructions on the identification and authentication procedure shall be contained in the ordinance to be rendered according to § 16 para 3. Notification by e-mail or in non-electronic form is admissible for manual filing systems, or in case of a longer lasting technical blackout of the web application.

(2) Data applications are not subject to notification

1. which solely contain published data or

2. whose subject is the management of registers and catalogues that are by law open to inspection by the public, even if a legitimate interest for doing so must be demonstrated or

3. which contain only indirectly personal data or

4. which are carried out by natural persons for activities that are entirely personal or concern just the person’s family life (§ 45) or

5. which are carried out for journalistic purposes according to § 48 or

6. corresponds to a standard application. The Federal Chancellor can lay down in an ordinance that some types of data applications and transmissions are standard applications, if they are carried out by a large number of controllers in similar fashion and if a risk to the data subjects’ interest in secrecy deserving protection is unlikely considering the purpose of the use and the processed categories of data. The ordinance shall list for every Standard Application the authorised categories of data, the categories of data subjects and recipients as well as the maximum period of time during which the data may be stored.

(3) Furthermore, data applications for the purpose of

1. protecting the constitutional institutions of the Republic of Austria or

2. safeguarding the operational readiness of the federal army or

3. safeguarding the interests of comprehensive national defence or

4. protecting important foreign policy, economic or financial interests of the Republic of Austria or the European Union

5. preventing and prosecuting of crimes

shall be exempt from the duty to notify, insofar as this is necessary to achieve the purpose of the data application.


Required Content of the Notification

§ 19 DSG 2000

(1) A notification pursuant to § 17 must contain

1. the name (or other designation) and address of the controller and of his representative according to § 6 para. 3 or of the operator pursuant to § 50 para. 1; furthermore the registration number of the controller, insofar as one has been already assigned to him, and

2. the proof of statutory competence or of the legitimate authority that the controller’s activities are permitted, if so required and

3. the purpose of the data application to be registered and the legal basis, as long as this is not included in the information according to sub-para. 2 and

3a. a statement, whether the data application matches one or more of the cases for prior checking named in § 18 para 2 sub-para 1 to 4 or § 50c para 1 second sentence and

 4. the categories of data subjects and the categories of data about them that are processed and

5. the categories of data subjects affected by intended transmissions, the categories of data to be transmitted and the matching categories of recipients – including possible recipient states abroad – as well as the legal basis for the transmission and

6. insofar as a permit by the Data Protection Authority is required the file number of the permit of the Data Protection Authority as well as

7. a general description of data security measures taken pursuant to § 14, which enable a preliminary assessment of the appropriateness of the security measures.

(2) The controller may at from time the notification is submitted until the end of the registration procedure promise to respect certain requirements or conditions when operating a data application or to operate the data application only for a limited period of time. A declaration of this type becomes legally binding for the controller upon registration by the Data Protection Authority. A registration may only be made if a promised requirement, the condition or time limit is equally specific to a requirement that could be imposed by the Data Protection Authority according to § 21 para 2.

(3) If a large number of controllers have to carry out data applications in similar fashion and the prerequisites for a Standard Application do not apply, the Federal Chancellor can designate model applications by ordinance. Notifications of data applications whose content corresponds to a model application need to contain only the following:

1. the designation of the model application according to the model ordinance and

2. the designation and address of the controller as well as proof of statutory competencies or of legitimate authority, as far as this is required, and

3. the registration number of the controller, insofar as one has been already assigned to him.

(4) A notification is insufficient if information is missing, obviously incorrect, inconsistent or so insufficient that persons accessing the register to safeguard their rights according to this federal law cannot obtain sufficient information as to the issue whether their interests in secrecy deserving protection could be infringed by the data application. In particular, inconsistency is given in case of a deviation of the notified content from the notified legal basis.

close