Article 30

Article 30 is a law under the EU’s GDPR that requires organizations that process personal data to maintain a record of their processing activities.

The record of processing activities allows you to make an inventory of the data processing and an overview of what you are doing with the concerning personal data. It is a tool to help you to be compliant with the regulation.

This record includes the data being processed and the purpose of the processing. And in full detail: a description of the categories of the data subjects and of the categories of personal data, disclosure of the recipients of the data and must identify third countries or international companies receiving those transfers of personal data. Lastly it includes the name and contact information of the controller who collects the information or any of their representatives.

If possible, records should indicate the planned time frame for erasing personal data records, but for the time that sensitive data is being kept there should also be an outline of security measures being taken to protect that information if it is applicable. Also, records are to be kept both in writing and electronic form, and these records should be prepared and readily available upon request to the supervisory authorities.

Article 30 and RoPA require such detailed processing of data that it makes complying with other GDPR rules much more manageable.

Exceptions

The GDPR states that only organizations of 250 or more employees must keep these records.

Smaller companies must comply with Article 30 under specific circumstances(for example, if the processing includes “personal data relating to criminal convictions and offenses.”) making it a more common compliance requirement.