Further Reading: Documentation

Both Controller and Processor are obliged to maintain documentary records of their processing activities – but the obligations on the Controller are more extensive

Controller documentation

  • Name and contact details of the controller, joint controllers and any processors (or their representatives)
  • The name and contact details of the DPO if applicable
  • The purposes of processing
  • A description of the categories of individuals and the categories of personal data processed
  • A description of the recipients or categories of recipients of personal data both within the UK or to international
  • organisations
  • Transfer to third countries and international organisations including details. Where there is infrequent or a one-off transfer then there needs to be a record of the lawful basis of processing and the appropriate safeguards put in place to ensure security
  • A general indication of the time limits for erasure for the different categories of data
  • A description of the technical and organisations mechanisms the controller employs

Processor Documentation

There is a general obligation to record all categories or processing activities carried out on behalf of the controller including:

  • The name and contact details of all processors and related controllers or representatives
  • The name and contact details of the DPO, if applicable
  • Categories of personal data processed on behalf of each controller
  • If applicable the transfers of personal data to a third country, or international organisation
  • Where possible, a general description of the data security measures put in place


The obligation to maintain documentation does not have to be completed by either controller or processor where fewer than 250 are employed unless processing is:

  • Likely to result in a risk for the rights and freedoms of the individual
  • Not occasional


Article 30 and Recital 13, 75 and 82 ICO link to documentation
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/documentation/how-do-we-document-our-processing-activities/

A Position paper issued by the Article 29 working party on the 19th April 2018

Article 5(f) and 24, 25, 28, 83
Recitals (39), (74), (78), (81),

ICO link to Accountability and Governance
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/accountability-and-governance/

EDPH 04/19 Article 25 Data protection by Design and Default – adopted November 2019