Art. 30 medium Severity GDPR European Union

GDPR Article 30 — Records of processing activities

Enforced by: ICO (UK) / National DPAs
Current as of May 25, 2018
Plain Language Summary
Must maintain a written record (ROPA) of all data processing activities. Regulators will ask for it. Required for organizations with 250+ employees.

Each controller shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: the name and contact details of the controller; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed; where applicable, transfers of personal data to a third country.

Related Enforcement Cases

British Airways — GDPR Data Breach Fine (£20M) £20M
Marriott International — GDPR Fine (£18.4M) £18.4M