Requirements your company must meet at a glance
The record of processing activities is “dynamic”, i.e., all identified or defined data processing operations shall be reviewed on a regular basis with regard to the question whether the processes still run the same way as they initially have been determined and documented. If processing activities change due to, e.g., changes in the company’s demands, this has to be mirrored in the record of processing activities. For this reason, the responsible contact person at the respective department should be contacted on a regular basis, e.g., once a year.
Your company is required to prove (at any time) that personal data has been processed in a lawful manner (at all times). This follows that the record of processing activities shall contain a history that has to be kept updated in order to prove compliance with the GDPR, also for a past period of time.
With regard to contact persons, the GDPR only stipulates that the data controller, its representative and, where applicable, the data protection officer shall be named as contact persons. However, it will facilitate the work of a supervisory authority and reduce the amount of follow-up questions in the course of an audit, if, additionally to the information explicitly required by the GDPR, the record names the persons responsible for the respective processing activities (e.g. name and contact details of the head of HR, head of IT, etc.).