Article 30

Article 30 of the EU General Data Protection Regulation (GDPR) is a law that “requires organizations that process personal data to maintain a record of their processing activities.” Originally adopted back in 2016, this law affects all controllers and processors of GDPR-regulated organizations of personal data information.

What are the specific requirements?

Companies are required to keep a record of the data being processed and must explain the purpose of the processing. This record shall include a description of the categories of the data subjects and of the categories of personal data. Additionally, they are responsible for disclosing the recipients of the data and must identify third countries or international companies receiving those transfers of personal data. The name and contact information of the controller who collects the information or any of their representatives must be kept as a part of the records as well.

If possible, records should indicate the planned time frame for erasing personal data records, but for the time that sensitive data is being kept there should also be an outline of security measures being taken to protect that information if it is applicable. Also, records are to be kept both in writing and electronic form, and these records should be prepared and readily available upon request to the supervisory authorities.

Who does it apply to?

The GDPR states that only organizations that employ 250 or more employees must keep these records of processing activities (RoPA).

Like most rules, there are exceptions, and there are times when smaller enterprises must comply with Article 30 as well. One such exception is if the processing includes “personal data relating to criminal convictions and offenses.” Based on that, as well as other exceptions, many smaller organizations will need to comply with this new law or face serious consequences.

Why is it significant?

GDPR’s Article 30 has much more focused rules and requirements as compared to any prior privacy regulation. In the United States, there is no federal regulation of data privacy; each state is on its own in that regard. California has the closest laws to the GDPR with the California Consumer Privacy Act (CCPA). Signed into law in 2018, “its goal [was] to extend consumer privacy protections to the internet… Businesses can’t sell consumers’ personal information without providing a web notice… and giving them an opportunity to opt-out.” Article 30 and RoPA require such detailed processing of data that it makes complying with other GDPR rules much easier.

Data Subject Requests (DSRs) are only one aspect of the GDPR. The regulations and fines are not confined to whether the information is requested by the data subject. Keeping a RoPA is about GDPR compliance over all in order to avoid fines, even if it is not associated with a request from a subject. It is still important to protect the data so it is not breached in other capacities due to carelessness.