§ GDPR · Article 30

GDPR Article 30: Obligations, Deadlines & Penalties

Regulation (EU) 2016/679, Article 30 · All obligations · GDPR
At a glance
Article 30 of the GDPR imposes 6 obligations on controller, processor. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 30

Obligation 1
Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility containing specific details such as contact details, purposes, data categories, recipients, transfers, erasure limits, and security measures. Regulation (EU) 2016/679, Article 30, Article 30
Obligated entity
controller
Action required
maintain
Deadline
Penalty
Exemptions
enterprises or organisations employing fewer than 250 persons unless processing is likely to result in risk, is not occasional, or includes special categories of data or criminal convictions data
Obligation 2
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing details of the processor/controller, processing categories, transfers, and security measures. Regulation (EU) 2016/679, Article 30, Article 30
Obligated entity
processor
Action required
maintain
Deadline
Penalty
Exemptions
enterprises or organisations employing fewer than 250 persons unless processing is likely to result in risk, is not occasional, or includes special categories of data or criminal convictions data
Obligation 3
The records of processing activities referred to in paragraphs 1 and 2 shall be in writing, including in electronic form. Regulation (EU) 2016/679, Article 30, Article 30
Obligated entity
controller
Action required
document
Deadline
Penalty
Obligation 4
The records of processing activities referred to in paragraphs 1 and 2 shall be in writing, including in electronic form. Regulation (EU) 2016/679, Article 30, Article 30
Obligated entity
processor
Action required
document
Deadline
Penalty
Obligation 5
The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request. Regulation (EU) 2016/679, Article 30, Article 30
Obligated entity
controller
Action required
provide
Deadline
on request
Penalty
Obligation 6
The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request. Regulation (EU) 2016/679, Article 30, Article 30
Obligated entity
processor
Action required
provide
Deadline
on request
Penalty
§ Frequently asked

Questions about Article 30

Who must comply with Article 30 of the GDPR? +
controller, processor.
What does Article 30 of the GDPR require? +
maintain document provide
What is the compliance deadline for GDPR Article 30? +
on request
Need a cross-border briefing on GDPR Article 30?
Search Fontvera ↵
All EU obligation pages  ·  All GDPR articles