ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR questions and answers

GDPR: QUESTIONS AND ANSWERS

Category:
Documentation and Procedures

How should Art. 30(4) be understood – must the record of processing activities be made available only upon request of the supervisory authority (UODO)?

ANSWER

That provision creates an obligation to submit the register to the supervisory authority if the authority requests it. At the same time, the controller is not required on its own initiative, by way of proactive action, to submit the register to the supervisory authority without a request from it.

Since we are speaking of making the register available, please bear in mind that the purpose of maintaining the register is to systematise the personal data processing operations performed, which determines its strictly internal and organisational character. It is therefore not public or publicly accessible, should not be published on the controller's website, or made available to interested individuals. It is worth remembering that it contains a number of key pieces of information, including a list of security measures applied, which should remain confidential.

Show all
PreviousNext

Read also:

07 June 2026

TikTok a RODO w sektorze publicznym – czego urzędy mogą dowiedzieć się z niemieckich zaleceń dla instytucji

29 May 2026

Kontrola służbowej poczty e-mail pracownika a tajemnica przedsiębiorstwa - kiedy pracodawca może legalnie przejrzeć skrzynkę?

14 May 2026

Czy pracodawca może opublikować zdjęcie pracownika? Wykorzystanie wizerunku pracownika na gruncie RODO i prawa autorskiego

Kalkulator analizy ryzyka

Sprawdź, jaki poziom ryzyka wiąże się z przetwarzaniem danych przez wybrany zasób

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
Record of processing activities – when to disclose to UODO? | ODO 24 | ODO 24