Article 30 of the GDPR requires controllers and processors to maintain records of their processing

activities, which include information such as the purposes of the processing, the categories of

personal data, the recipients of the data, the retention periods, and the security measures12.

However, Article 30 does not require controllers to keep records of incidents of personal data

breaches, whether disclosed or not. This is a separate obligation under Article 33 and Article 34,

which require controllers to notify the supervisory authority and the data subjects of any personal

data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural

persons34. Reference: 1: Article 30 of the GDPR 2: What do we need to document under Article 30 of

the UK GDPR? | ICO 3: Article 33 of the GDPR 4: Article 34 of the GDPR

Section: (none)

Reference: https://medium.com/golden-data/what-records-must-controllers-and-processors-keepto-comply- with-eu-data-protection-law-3e8bac177695