📕 The Article 30 of GDPR impose to each controller to establish a Register of processing under its responsibility. This register must contain all of these information (some of them are the same that need to shared with customers).
- Name and contact details of the processor and, where applicable, the co-responsible of processing, the processor's representative and the Data Protection Officer: they are included the information obligation for the articles 13 and 14 of GDPR.).
- The purposes of processing: they are included in the information obligation for the articles 13 and 14 of GDPR.
- A description of who is concerned and what data is concerned.
- To what kind of receivers the data have been or will be communicated, including receivers from foreign countries or international organizations: they are included in the information obligation in the articles 13 and 14 of GDPR.
- Where applicable, the personal data transfer toward a foreign country or an international organization, including the country or international organization identification and when it is transferred for Article 49, section 1, second subparagraph, files certifying the existence of the appropriate guarantees: they are included in the information obligation in the articles 13 and 14 of GDPR.
- The deadlines set for data removal: they are included in the information obligation in the articles 13 and 14 of GDPR.
- When possible, a general description of the technical and organizational security measures referred in the Article 32 (for instance the pseudonymization and the encryption of personal data; the measures allowing to guarantee confidentiality, integrity, availability of personal data and the accessibility to them in appropriate delays in case of physical or technical incident, the procedure for checking, analyzing and evaluating regularly the efficiency of technical and organizational measures to insure the security of processing.
Each processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller containing:
- Name and contact details of the processor and, where applicable, the co-responsible of processing for which it is working, and the Data Protection Officer contact details.
- The purposes of processing done for each processor.
- Where applicable, the personal data transfer toward a foreign country or an international organization, including the country or international organization identification and when it is transferred for Article 49, section 1, second subparagraph, files certifying the existence of appropriate guarantees.
- When possible, a general description of the technical and organizational security measures.
There are exceptions for the obligations of those records, especially for a company that has less than 250 workers, unless these treatments are risky and are not occasional or if they include particular categories of personal data (sensitive data).