Article 30

Article 30 of the EU General Data Protection Regulation (GDPR) requires organizations that process personal data to maintain a record of their processing activities. Adopted in April 2016 and enforceable since May 2018, this provision applies to all controllers and processors handling personal data under the GDPR.

What are the specific requirements?

Organizations are required to keep a record of the data being processed and must document the purpose of the processing (Record of Processing Activity, or “RoPA”).

This record must:

• Include a description of the categories of data subjects and categories of personal data. 
• Disclose the categories of data recipients and identify third countries or international organizations receiving transfers of personal data. 
• Document the name and contact details of the controller, any joint controllers, their representatives, and the data protection officer
• Describe technical and organizational security measures in place to protect personal data
• Where possible, indicate data deletion schedules for different categories of data

Records are to be maintained in writing, including in electronic form, and must be made available to the supervisory authority upon request.

Who does it apply to?

The GDPR exempts organizations employing fewer than 250 people from maintaining a full RoPA, but only if the processing is occasional, does not pose a risk to the rights and freedoms of data subjects, and does not involve special categories of data or personal data relating to criminal convictions and offenses. 

In practice, because most organizations process data regularly (payroll, CRM, website analytics), the exemption rarely applies, and most organizations of any size will need to comply.

Why is it significant?

GDPR's Article 30 introduced more detailed record-keeping requirements than any prior privacy regulation. In the United States, there is no comprehensive federal data privacy law, though sector-specific regulations like HIPAA and COPPA cover certain categories. California has among the closest state-level parallels to the GDPR with the California Consumer Privacy Act (CCPA), signed into law in 2018 and later amended by the California Privacy Rights Act (CPRA). 

Article 30 and RoPA require such detailed documentation of processing activities that maintaining them makes complying with other GDPR obligations, such as responding to data subject requests or conducting data protection impact assessments, significantly easier.

Data Subject Requests (DSRs) are only one aspect of the GDPR. The regulations and fines are not confined to whether information is requested by a data subject. Keeping a RoPA is about demonstrating GDPR compliance overall. Non-compliance can result in fines of up to €10 million or 2% of annual global turnover under Article 83(4)(a), even absent a data breach or subject request.