This post is also available in: esEspañol

As is well known, with the application of the General Data Protection Regulation (GDPR), the obligation to notify the Spanish Data Protection Agency (AEPD) of data files for their registration in the General Data Protection Registry no longer exists, but there are other obligations of an organizational nature. In particular, since the GDPR is applicable, companies must—in most cases—prepare a RECORD OF PROCESSING ACTIVITIES that must contain the information indicated in article 30 of the GDPR; this obligation is similar to the obligation that existed under Royal Decree 1720/2007 for preparing and keeping the so-called “security measures document” up to date.

Article 30 states that: “Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.” In short, it entails the duty to have a record with the following information:

  1. a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  2. b) the purposes of the processing;
  3. c) a description of the categories of data subjects and the categories of personal data;
  4. d) the categories of recipients to whom the personal data was disclosed or will be disclosed, including recipients in third countries or international organizations;
  5. e) where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of article 49 (1); the documentation of suitable safeguards;
  6. f) where possible, the envisaged time limits for erasure of the different categories of data;
  7. g) where possible, a general description of the technical and organizational security measures referred to in article 32 (1).

As such, the AEPD has published an example of how to keep this record, with the main aim of helping the different controllers to comply with this obligation under the GDPR.

In the published record, the AEPD has reflected in detail that which is regulated in article 30.1 of the GDPR, which also includes the legal basis justifying the processing. In particular, it openly states the personal processing carried out by the agency, based on the record of files that it held before the application of the GDPR, and while adding and amending the new processing arising after the regulation.

Although many of the processing activities the AEPD carries out itself and established in the published example may correspond to those carried out by several controllers (“Record of I/O, HR Management, Library management and control”), it is left to the discretion of the controller—according to that regulated and already mentioned in article 30—to conclude how to keep that record.

This post is also available in: esEspañol



7 artículos


25 artículos