GENERAL DATA PROTECTION REGULATION AND DATA PROTECTION ACT 2018

This table contains extracts and summaries of legislation using among other things the headings of paragraphs in the Schedules to the UK Data Protection Act 2018 ('DPA'). After identifying relevant paragraphs in those Schedules, users of this table should always use the DPA links provided to refer to the full text of those paragraphs, in order to identify their precise scope and to identify the 'listed GDPR provisions'. (See Summary of Data Protection Act 2018 for further explanation.)

Item Reference       Article 30 Link
1 30. Article 30 GDPR 30
2 30. Records of processing activities GDPR 30
3 30.1 1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: GDPR 30
4 30.1(a) (a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer; GDPR 30
5 30.1(b) (b) the purposes of the processing; GDPR 30
6 30.1(c) (c) a description of the categories of data subjects and of the categories of personal data; GDPR 30
7 30.1(d) (d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; GDPR 30
8 30.1(e) (e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; GDPR 30
9 30.1(f) (f) where possible, the envisaged time limits for erasure of the different categories of data; GDPR 30
10 30.1(g) (g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1). GDPR 30
11 30.2 2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing: GDPR 30
12 30.2(a) (a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer; GDPR 30
13 30.2(b) (b) the categories of processing carried out on behalf of each controller; GDPR 30
14 30.2(c) (c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; GDPR 30
15 30.2(d) (d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1). GDPR 30
16 30.3 3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form. GDPR 30
17 30.4 4. The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request. GDPR 30
18 30.5 5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10. GDPR 30
Item Reference Articles which affect Article 30 Link
Item Reference       GDPR Recitals which affect Article 30
28 Recital 13 (13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC (5).
29 Recital 82 (82) In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.
Item Reference       Related Guidance which affects Article 30
30 Article 29 Working Party Position Paper on the derogations from the obligation to maintain records of processing activities Guidance
31 ICO guidance on Accountability principle Guidance
32 ICO guidance on Accountability and governance Guidance
33 ICO guidance on Documentation Guidance
Disclaimer - Copyright - Privacy policy