Record of Processing Activities

A record of processing activities is a written document that documents all the ways your organisation processes personal data. GDPR Article 30 requires you to maintain the record and be able to present it during inspections by the Data Protection Agency.

Back to Dictionary

What is a record of processing activities?

A record of processing activities (also called an Article 30 record) is your central overview of how your organisation processes personal data. It is the foundation of your GDPR compliance.

The record gives you a consolidated picture of what data you process, why, who has access, and when data is deleted. It is also typically the first document the Danish Data Protection Agency requests during inspections.

Both data controllers and data processors must maintain a record, but the content differs slightly.

What must it contain?

For the data controller (Article 30(1)), the record must contain:

Name and contact details of the data controller (and any DPO)
The purpose of the processing (purpose limitation)
Categories of data subjects and personal data
Categories of recipients, including in third countries
Transfers to third countries and the transfer mechanism used
Planned retention periods
A general description of security measures (processing security)

For the data processor (Article 30(2)), the requirements are slightly different and focus on the processing carried out on behalf of the data controller.

Who must maintain a record?

Article 30(5) exempts organisations with fewer than 250 employees, but only if the processing:

Is occasional (not regular)
Does not involve a risk to data subjects
Does not involve sensitive personal data

In practice, almost all organisations have regular processing of personal data (e.g. payroll, customer administration, newsletters). Therefore, almost all organisations must maintain a record, regardless of size.

The Danish Data Protection Agency also recommends that all organisations maintain a record as a matter of good practice and the accountability principle.

Maintenance in practice

A record is only valuable if it is up to date. Follow these steps:

Map: Start by identifying all processing activities across departments and systems.
Document: Complete the required information for each activity.
Update: Review the record at least annually and upon changes to systems, processes or data processing agreements.
Involve: Make it a cross-functional task. IT, HR, sales and marketing all process personal data.

Many organisations start with a spreadsheet, but as complexity grows, a dedicated compliance tool can make maintenance easier.

Frequently Asked Questions about Record of Processing Activities

What is a record of processing activities?

A record is a written document that documents all the ways your organisation processes personal data. It is a requirement under GDPR Article 30 and must contain information about purposes, categories of data, recipients, third-country transfers and planned retention periods.

Who must maintain a record?

All organisations with more than 250 employees must maintain a record. Smaller organisations must also do so if the processing is not occasional, involves a risk to data subjects, or involves sensitive personal data. In practice, this means almost all organisations need a record.

What must a record contain?

For data controllers, the record must contain: the organisation's name and contact details, the purpose of processing, categories of data subjects and data, recipients, third-country transfers, planned retention periods and a description of security measures.

How often must the record be updated?

The GDPR does not specify a frequency, but the record must always reflect the current situation. In practice, you should review it at least once a year and update it when processing activities, systems or processes change.