Keeping records and ensuring security
Based on Article 30, controllers have to maintain records of all processing activities. These records need to be in writing (including in electronic form) and have to be made available to the competent supervisory authority upon request.
Controllers can be exempted from this obligation when they have no more than 250 employees, except in cases where the processing may give rise to a risk to data subjects’ rights and freedoms, if the processing is not occasional, if the processing includes special categories of personal data (Article 9) or if the data relate to criminal convictions and offences (Article 10).
Records need to include:
- The name and contact details of the controller;
- The purposes of the processing,
- Categories of data subjects, personal data and recipients;
- Information regarding data transfer outside the EU;
- The envisaged time limits for erasure;
- A general description of the technical and organisational security measures.
Technical and organisational measures
Under Article 32, controllers have the obligation to take technical and organisational measures to achieve a level of security appropriate to potential risk. When taking these measures, they need to consider the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Examples of such measures include:
- Pseudonymisation and encryption;
- Ensuring the ongoing confidentiality, integrity, availability and resilience of processing system and services;
- The ability to restore the availability and access to personal data in a timely manner in case of physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of the processing.
Both controllers and processors have to take measures to ensure that persons acting under their authority (employees for example) will not process personal data, unless they are acting under instructions or if it is required by EU and Member State law.
© University of Groningen