One of the major changes the GDPR introduces is a duty for in-scope controllers and processors to maintain written records of processing activities.
Under Article 30 GDPR, companies will need to inventory all “processing activities under [their] responsibility” and memorialize them in a written record setting forth, inter alia, the purposes of processing operations, international transfers, and retention periods. Companies must provide their processing records (sometimes informally referred to as a “processing inventory”) to EU data protection authorities (DPAs) upon request.
These Article 30 “Model Processing Records” have been published by Germany’s Conference of Independent Federal and State Data Protection Authorities, commonly referred to as the DSK or “Datenschutzkonferenz” (Data Protection Conference). The DSK is composed of Germany’s Federal DPA as well as all 17 state-run DPAs responsible for private-sector and public-sector controllers. As a result, the Model Processing Records have been reviewed by representatives of all German DPAs.
The DSK has provided two Model Processing Records: (1) a Model Processing Record for Controllers, and (2) a Model Processing Record for Processors. Although these documents are currently only available in German, we are offering non-official convenience translations here (click to download):
- Controller Model Processing Record
- Processor Model Processing Record
German versions of the Model Processing Records can be accessed from the website of the DPA of Sachsen-Anhalt here.