§ GDPR · Article 30
GDPR Article 30: Obligations, Deadlines & Penalties
At a glance
Article 30 of the GDPR imposes 6 obligations on controller, processor. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 30
Obligation 1
Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility containing specific details such as contact details, purposes, data categories, recipients, transfers, erasure limits, and security measures.
Regulation (EU) 2016/679, Article 30, Article 30
- Obligated entity
-
controller
- Action required
-
maintain
- Deadline
-
—
- Penalty
-
—
- Exemptions
- enterprises or organisations employing fewer than 250 persons unless processing is likely to result in risk, is not occasional, or includes special categories of data or criminal convictions data
Obligation 2
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing details of the processor/controller, processing categories, transfers, and security measures.
Regulation (EU) 2016/679, Article 30, Article 30
- Obligated entity
-
processor
- Action required
-
maintain
- Deadline
-
—
- Penalty
-
—
- Exemptions
- enterprises or organisations employing fewer than 250 persons unless processing is likely to result in risk, is not occasional, or includes special categories of data or criminal convictions data
Obligation 3
The records of processing activities referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
Regulation (EU) 2016/679, Article 30, Article 30
- Obligated entity
-
controller
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 4
The records of processing activities referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
Regulation (EU) 2016/679, Article 30, Article 30
- Obligated entity
-
processor
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 5
The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.
Regulation (EU) 2016/679, Article 30, Article 30
- Obligated entity
-
controller
- Action required
-
provide
- Deadline
-
on request
- Penalty
-
—
Obligation 6
The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.
Regulation (EU) 2016/679, Article 30, Article 30
- Obligated entity
-
processor
- Action required
-
provide
- Deadline
-
on request
- Penalty
-
—
§ Frequently asked
Questions about Article 30
Who must comply with Article 30 of the GDPR?
+
controller, processor.
What does Article 30 of the GDPR require?
+
maintain document provide
What is the compliance deadline for GDPR Article 30?
+
on request