Obligation to Maintain Processing Records
The obligation to maintain processing records is stipulated in Article 30 of the GDPR. In principle, every controller is subject to the obligation to maintain such a record of processing activities.
The obligation to maintain the processing records shall not apply to an enterprise or an organization employing fewer than 250 persons. However, the obligation is only omitted if the processing the enterprise or organization carries out is not likely to result in a risk to the rights and freedoms of data subjects, the processing is occasional, and if the processing does not include special categories of data as referred to in Article 9 para 1 of the GDPR.
The very complicated wording of this exception is likely to result in very few companies benefitting from the exception to the obligation to maintain processing records. The controller shall, on request, provide the supervisory authority with the processing records according to Article 31 of the GDPR.
Maintaining processing records is the basis for compiling, and keeping available, the necessary information for the accountability and documentation obligations.