Is a processor obliged to make the register of categories of processing activities available to the controller?

ANSWER

Art. 28(3)(h) GDPR states that the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 and shall allow for and contribute to audits, including inspections, conducted by the controller or an auditor mandated by the controller. That provision provides a basis for the controller, in the course of an audit or inspection, to have the right to inspect the document that is the register of categories of processing activities. Of course, the register of categories of processing activities (RKCP) is an internal register and is not disclosed on a website or made available to data subjects. At the same time, the obligation to make it available to the supervisory authority is addressed in Art. 30(4) GDPR. It is considered appropriate to make the register available to the controller, but it should be limited only to the scope concerning the given controller. It sometimes happens that we maintain a single register for several controllers and in haste make available also what does not concern the given controller. It is therefore important to disclose only the data relating to the given controller. This position is supported by current legal doctrine – an excerpt from a commentary by Magdalena Sakowska-Baryła from 2018: "Without doubt, in the case of a processor (or possibly their representative), they should be considered obliged to make the RKCP available, as regards all categories of activities relating to the data entrusted by a specific controller, at the latter's request (see commentary to Art. 28(3)(h) GDPR)."