Article 30 GDPR
Registration of processing activities

1. Each controller and, when applicable, the controller's representative shall maintain a register of personal data processing activities for which they are responsible. This register shall include all of the following information:

(a) the name or address and contact details of the administrator and any co-administrators and, where applicable, the representative of the administrator and the data protection officer;

b) cele przetwarzania;

(c) a description of the categories of data subjects and categories of personal data;

(d) categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries or in international organisations;

(e) where applicable, the transfer of personal data to a third country or an international organization, including the name of that third country or international organization, and, in the case of transfers referred to in the second subparagraph of Article 49(1), documentation of the appropriate safeguards;

(f) where possible, the planned deletion dates for each data category;

(g) where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

2. Each processor and, when applicable, the processor's representative shall maintain a register of all categories of processing activities performed on behalf of the controller, including the following information:

(a) the name or address and contact details of the controller or processors and of any administrator on whose behalf the controller acts, and where applicable the representative of the controller or processor and the data protection officer;

(b) the categories of processing carried out on behalf of each administrator;

(c) where applicable, transfers of personal data to a third country or an international organization, including the name of that third country or international organization, and, in the case of transfers referred to in the second subparagraph of Article 49(1), documentation of the appropriate safeguards;

(d) where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

3. The registers referred to in paragraphs 1 and 2 shall be in written form, including electronic form.

4. The controller or processor and, where applicable, the controller's or processor's representative shall make the register available to the supervisory authority upon request.

5.

*

The obligations referred to in paragraphs 1 and 2 do not apply to a business or entity employing fewer than 250 people, unless the processing they carry out is likely to result in a risk to the rights or freedoms of data subjects, is not occasional, or involves special categories of personal data referred to in Article 9(1), or personal data relating to criminal convictions and offenses, as referred to in Article 10.