Benchmark: Article 30 Records of processing activities
To obtain the latest version of the official guide, please visit https://www.privacy-regulation.eu/en/article-30-records-of-processing-activities-GDPR.htm.
Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information like the name and contact details of the controller and where applicable, the joint controller, the controller's representative and the data protection officer, the purposes of the processing etc.
Each processor and where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable of the controller's or the processor's representative, and the data protection officer, where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.
The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.
The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
steampipe check aws_compliance.benchmark.article_30
- At least one multi-region AWS CloudTrail should be present in an account
- All S3 buckets should log S3 data events in CloudTrail
- At least one trail should be enabled with security best practices
- CloudTrail trails should be integrated with CloudWatch logs
- CloudTrail trail logs should be encrypted with KMS CMK
- AWS Config should be enabled
- ELB application and classic load balancer logging should be enabled
- KMS CMK rotation should be enabled
- Redshift cluster audit logging and encryption should be enabled
- VPC flow logs should be enabled