Identification and mapping of processing activities (Part 2)

In the first part of this article, we examined the controller's obligation to keep records of processing activities pursuant to Article 30 of the GDPR. In this second part, we focus on the data processor's obligations to keep such records.

Records of processing activities by data processors

It is not uncommon for data processors to process personal data on behalf of more than one data controller. Firms providing processing services relating to, for example, human resources management, payroll and customer relationship management, very often provide such services to more than one client. It is thus no surprise that article 30(2) of the GDPR states that a data processor must maintain a record of all categories of processing activities carried out on behalf of each controller. The records must also contain the name and contact details of the processor or processors and of each controller, as well as, where applicable, the controller's or processor's representative and the data protection officer.

As in the case for controllers, where transfers of personal data are made to a country outside the European Economic Area ("third country") or to an international organisation, this must be recorded, including the identification of that third country or international organisation and the categories of data in question. Pursuant to current Norwegian data protection law, the legal basis for such transfer must also be documented. When the legal basis for such transfer is the new and rather exceptional basis of legitimate interest pursuant to the second sub-paragraph of article 49(1) (that can only be used when no other instrument pursuant to the GDPR is available), the safeguards taken to protect the personal data must be recorded.

Furthermore, according to Article 30(2)(d), where possible, a general description of the technical and organisational security measures referred to in article 32(1) must be recorded. Even though the requirement for such documentation seems to be open to some exception, the applicability of any such exception is unclear. In any case, the requirement to maintain and document information security is a mandatory requirement under the Norwegian Personal Data Act.

Formalities and other provisions applying to both controllers and processors

The records that must be maintained by controllers and processors must be in writing, including in electronic form. Such records must be made available to the supervisory authority on request, a requirement which is already enshrined in the current Norwegian Personal Data Act.

Article 30(5) contains an exception to the controller's and processor's obligation to keep records. This exception, in turn, contains a number of exceptions. Article 30(5) states that the obligation on data controllers and processors to keep records does not apply to an enterprise or organisation employing fewer than 250 persons "unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes [sensitive personal data] or personal data relating to criminal convictions and offences referred to in Article 10". Because of the various exceptions to when article 30(5) shall apply, the applicability of this provision is likely to be limited as very few firms are likely to satisfy all its requirements. Hence, most firms must keep said records. In any case, all data controllers and data processors, irrespective of their size, must remember that there is still an obligation to maintain information security (article 32) and data controllers must furthermore implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with the GDPR (article 24).