Processor's record of processing activities
Organisations are obligated to draw up a written description of their personal data processing. This description is called a record of processing activities.
The obligation to draw up a record of processing activities applies to all organisations with more than 250 employees. Smaller organisations are also required to draw up the record if
- the personal data processing for which the organisation is responsible is likely to pose a risk to the rights and freedoms of data subjects
- the organisation's processing of personal data is not occasional or
- the organisation processes special categories of data, or personal data relating to criminal convictions and offences.
Processor refers to a natural person, legal entity, public authority, agency or other body which processes personal data on behalf of the controller.
It does not refer to employees working for the controller (or processor), but is typically another organisation contracted to perform data processing services on behalf of the controller.
Template for processors: record of processing activities (Excel, 18 KB)
The record drawn up by the processor is required to state the following information
Indicate the name and contact details of the processor, possible representative of the processor and the Data Protection Officer. Also state the controllers and their possible representatives on whose behalf the processor is acting.
Processor's representative refers to a natural person or legal entity established in the European union to whom the processor has given a written authorisation to act on its behalf. The representative represents the processor in matters involving the processor's obligations based on the GDPR.
The Data Protection Officer is a person who assists the controller, with special expertise in data protection legislation and practices, and who monitors compliance with the GDPR in the organisation.
Describe the type of processing performed by the organisation on behalf of the controller. Specify the categories of processing performed for each controller.
Indicate in the record whether data is transferred to third countries or international organisations. If yes, specify the countries and organisations. The record also indicates the paragraph of the GDPR and corresponding mechanism that permits the transfer of data, such as a decision of the Commission provided for in Article 45, the binding corporate rules provided for in Article 47 or the standard data protection clauses provided for in Article 46, paragraph 2.
If the transfer to a third country or international organisation is based on the specific situation referred to in Article 49, paragraph 2, describe the documentation of suitable safeguards in the record.
For example, state how the data is protected from access by outsiders, how access rights have been restricted within the organisation, and how the use of the personal data is monitored. The organisation can draw up a model for sanctions resulting from misuse, for example, and add a link to the model to this section of the record. Other equivalent internal information can also be appended to this section.
If detailed information on or links to, e.g., information security practices are provided in the record, protect the record from access by unauthorised persons.