The GDPR requires that all companies which process personal data on a significant scale, or process sensitive personal data, keep records of their processing activities.
There are no set rules as to what the records should look like, but they must contain at least the following:
- contact details of a person within the organisation
- purpose for processing, explained in detail
- categories of personal data used
- special categories of data (sensitive data), if any
- existence of data transfers to third countries
- retention periods
- overview of security and technical data protection measures
- any additional information, if deemed necessary
Companies with less than 250 employees are exempt from most record-keeping activities. Find out more in this article.