Skip to main content
European Citizens' Initiative

Data Protection Guidance - Question 7

Go back to the main page of the Data Protection Guidance for the organisers


Data Protection Guidance - Question 7

How should you prepare a data processing record?

Applies to Case Scenario 2 (the representative acts as sole data controller), except as regards the use of the Commission’s file exchange service.

Keeping of the record is legally required in particular where sensitive data are being processed.

A record of processing activities is a written document, which needs to include in particular:


You do not need to produce a separate record covering processing operations carried out under joint controllership with the Commission, as those are already covered by the record of processing activities established by the Commission (see Case Scenario 1) and use of the Commission’s file exchange service under Case scenario 2). You should provide a link to the Commission’s record in your own documentation/website.


  • Article 30 of the GDPR
  • Article 31 of the EUDPR
Want to learn and collaborate?