Question 1

Do trust and corporate service businesses need to maintain a GDPR Article 30 register?

Accepted Answer

Yes. Any organisation that processes personal data — including trust companies, corporate administrators, and fiduciaries — is expected to maintain a Record of Processing Activities under Article 30 of the UK GDPR and EU GDPR. This applies regardless of size, unless the organisation has fewer than 250 employees and meets specific exemption criteria (which most TCBs do not, given the nature of the data they process).

Question 2

How should we document beneficial ownership data collection under GDPR?

Accepted Answer

Beneficial ownership data collection is a processing activity that is expected to appear in your Article 30 register. Organisations are expected to document the purpose (regulatory compliance with beneficial ownership legislation), the lawful basis (legal obligation), the categories of personal data collected (name, date of birth, nationality, ownership percentage), retention periods, and any third parties the data is shared with.

Question 3

We administer data for multiple client entities — do we need a separate RoPA for each?

Accepted Answer

As a data controller for your own operations, you are expected to maintain one Article 30 register covering your firm's processing activities. If you also act as data processor on behalf of client entities, organisations are expected to maintain a separate processor record under Article 30(2). Many TCBs operate as both controller and processor — your register should clearly distinguish between the two roles.

Question 4

What transfer mechanisms are expected for cross-jurisdiction data flows?

Accepted Answer

Data flows between Jersey, the UK, the EU, and offshore jurisdictions are expected to be documented with a legal mechanism under Article 46 — typically Standard Contractual Clauses (SCCs), Binding Corporate Rules, or reliance on an adequacy decision. Each relevant data flow is expected to be recorded in the Article 30 register with the destination country and the mechanism used.

GDPR documentation built for complex entity structures

The compliance challenge

Entity proliferation means data flow complexity

Cross-jurisdiction transfers are unavoidable

Beneficial ownership obligations overlap with GDPR

How Clarium helps

Map entity structures as data flows

Beneficial ownership processing, documented

Cross-jurisdiction transfer tracking

Regulator-ready exports

Common use cases

Import your entity list

Map processing across entities

Export a JOIC-ready RoPA

Controller and processor records

Ready to simplify your GDPR compliance?