meny

Maintain a processing record

Both the data controller and the data processor are obliged to maintain a record or a list of instances of personal data processing. These records are to be in writing, accessible in an electronic format and kept up to date. The records are to be made accessible to the Swedish Data Protection Authority upon request. What the list is to contain is described in Article 30 of the General Data Protection Regulation.

Checklist for data controllers

The data controller's record is to contain the following details:

☐ Name and contact details of the data controller, the data controller's representative and the data protection officer.

☐ The purpose of the processing.

☐ A description of the categories of data subject and the categories of personal data.

☐ The categories of recipient to whom the personal data has been disclosed or is to be disclosed.

☐ Where applicable, transfers of personal data to a third country or international organisation.

☐ Where possible, envisaged time limits for erasure of the different categories of data.

☐ Where possible, a general description of technical and organisational security measures.

Checklist for data processors

The data processor's record is to contain the following details:

☐ Name and contact details of the data processor, every data controller on behalf of whom the processor is acting, the data controller's and the data processor's representatives, and the data protection officer.

☐ The categories of processing carried out on behalf of each data controller.

☐ Where applicable, transfers of personal data to a third country or international organisation.

☐ Where possible, a general description of technical and organisational security measures.

Exemption from the obligation to maintain a record

There is an exemption from the obligation to maintain a record and it applies to companies and organisations with fewer than 250 employees. The exemption applies if all three of the following criteria are met.

Companies and organisations with fewer than 250 employees are not obliged to maintain a record if the personal data processing:

  • is unlikely to result in a risk to the rights and freedoms of data subjects,
  • is occasional, and
  • does not include sensitive data as referred to in Article 9 or personal data relating to criminal convictions and offences as referred to in Article 10.

In the opinion of the Swedish Data Protection Authority every instance of processing must be judged individually. If any of the instances of processing carried out is not covered by the exemption, a record of the processing must be kept, while the instances of processing that meet the above criteria do not need to be included in the record. For example, the processing carried out for the administration of employees' wages and salaries is recorded since it is not occasional at the same time as another type of processing does not necessarily need to be recorded. Regardless of the exemption, the Swedish Data Protection Authority recommends that organisations maintain records to be able to keep track internally of the personal data processing carried out.

Swedish version
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.