Go back to the main page of the Data Protection Guidance for the organisers
Data Protection Guidance - Question 7
How should you prepare a data processing record?
Applies to Case Scenario 2 (the representative acts as sole data controller), except as regards the use of the Commission’s file exchange service.
Keeping of the record is legally required in particular where sensitive data are being processed.
A record of processing activities is a written document, which needs to include in particular:
- the name and contact details of the data controller, as well as the data protection officer, if any;
- the categories of data subjects and the categories of the processed personal data;
- the purposes of the processing and the references of the initiative concerned
- the recipients of the personal data, i.e. those to whom the data have been or will be disclosed (here: only the relevant Member State authorities in charge of verification and certification of statements of support);
- the dates and channels of such transfers;
- the envisaged time limits for erasure of the data;
- a general description of the technical and organisational security measures like encryption, ability to restore, testing and measures ensuring confidentiality, integrity, availability and resilience, physical security (See Questions on security in the context of the on paper collection, and submission of the collected statements of support to Member States for verification.
PLEASE NOTE:
You do not need to produce a separate record covering processing operations carried out under joint controllership with the Commission, as those are already covered by the record of processing activities established by the Commission (see Case Scenario 1) and use of the Commission’s file exchange service under Case scenario 2). You should provide a link to the Commission’s record in your own documentation/website.
References: