This template is designed to assist small and medium-sized enterprises (controllers) in creating their own records of processing activities. Each of the 25 sections that make up this form for documenting processing activities must be tailored to the specific data processing operations in your organization. It's important to remember that this document will not be the same for all small and medium-sized enterprises or organizations, even those within the same industry. The record of processing activities should accurately reflect the data processing activities conducted in your organization.
In certain cases, a company acting as a data controller is required to maintain records of its processing activities. These records must include, among other things, information on the purpose of processing, categories of subjects/personal data, categories of data recipients, any transfers of personal data to third countries, retention periods for data deletion, and a description of the technical and organizational measures in place to protect the data.
Regardless of the number of employees, you MUST maintain processing records if any of the following conditions apply:
- If the processing is likely to pose a risk to the rights and freedoms of the data subjects (for example, the introduction of new technologies such as biometric readers, facial recognition, or IT services that process personal data),
- If the processing is not occasional, i.e. if the processing is permanent (for example, processing employee personal data for wage payments by the employer),
- If the processing involves special categories of data (for example, health data, biometric data, or genetic data),
- If the processing includes personal data related to criminal convictions and offenses
.
If your organization has fewer than 250 employees and does not meet any of the above conditions, you are NOT OBLIGATED to maintain records of processing activities. However, we strongly recommend that you keep records of processing activities, as they are a valuable tool for demonstrating compliance with the General Data Protection Regulation.
