← Full glossary

Article 30 record (record of processing activities)

The record of processing activities that Article 30 of the GDPR requires controllers and processors to maintain. It must describe the purposes of processing, categories of data subjects and data, recipients, any third-country transfers, retention periods and security measures. It must be in writing, kept up to date and made available to the data protection authority on request. The exemption for companies under 250 employees is narrow, so in practice virtually every company should keep a record.