Both Controller and Processor are obliged to maintain documentary records of their processing activities – but the obligations on the Controller are more extensive
Controller documentation
Processor Documentation
There is a general obligation to record all categories or processing activities carried out on behalf of the controller including:
Exemptions
The obligation to maintain documentation does not have to be completed by either controller or processor where fewer than 250 are employed unless processing is:
References:
Article 30 and Recital 13, 75 and 82 ICO link to documentation
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/documentation/how-do-we-document-our-processing-activities/
A Position paper issued by the Article 29 working party on the 19th April 2018
https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51422
Article 5(f) and 24, 25, 28, 83
Recitals (39), (74), (78), (81),
ICO link to Accountability and Governance
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/accountability-and-governance/
EDPH 04/19 Article 25 Data protection by Design and Default – adopted November 2019
https://edpb.europa.eu/our-work-tools/public-consultat
IS THE END OF THIS LINK MISSING?