Controller's record of processing activities
The obligation to draw up a record of processing activities applies to all organisations with more than 250 employees. Smaller organisations are also required to draw up the record if
the personal data processing for which the organisation is responsible is likely to pose a risk to the rights and freedoms of data subjects;
the organisation's processing of personal data is not occasional; or
the organisation processes special categories of data, or personal data relating to criminal convictions and offences.
When another organisation is performing certain processing activities on behalf of the controller, this processor is required to describe its own processing activities. In such cases, the controller can append the processor's record to its own, insofar as it applies to the processing of data under the responsibility of the controller.
The record drawn up by the controller is required to state the following information