Records of Processing Activities

A record of processing activities is a documented overview of all the processing activities your organisation carries out with personal data. It is mandatory under GDPR Article 30 and is one of the most important tools for demonstrating compliance with the regulation.

Back to Dictionary

What is a record of processing activities?

A record of processing activities (also called an "Article 30 record") is a central compliance document that describes how your organisation processes personal data. It gives you and supervisory authorities a consolidated overview of what data you process, why, who has access and how you protect it.

GDPR Article 30 makes the record mandatory for both data controllers and data processors. There is a limited exemption for organisations with fewer than 250 employees, but it only applies if the processing is occasional, does not pose a risk to the data subject and does not involve sensitive data. In practice, most organisations are covered.

The record is more than a compliance requirement. It is the foundation for your data protection work. Without it, you do not know exactly what data you hold, and you cannot carry out meaningful risk assessments or impact assessments.

Content and requirements

GDPR Article 30 specifies what the record must contain. For data controllers:

Name and contact details: The data controller's name, any joint controller's, a representative's and the DPO's contact details.
Purpose of the processing: What do you use the data for? Each purpose must be described clearly.
Categories of data subjects: Customers, employees, supplier contacts, applicants, etc.
Categories of personal data: Names, email addresses, national identification numbers, health data, etc.
Recipients: Who do you share data with? This includes data processors and any third-country transfers.
Transfers to third countries: Documentation of the transfer basis (e.g. standard contractual clauses).
Retention periods: When do you delete the data?
Security measures: A general description of your technical and organisational measures.

For data processors, the requirements are slightly different and focus on the categories of processing carried out on behalf of data controllers.

Building your record

Start by mapping all your processing activities. Go through each department: HR, sales, marketing, customer service, IT, finance. Ask: what personal data do you use, about whom and for what purpose?

Structure the record so that each processing activity is a separate entry. "Recruitment" is one activity, "Payroll administration" is another, "Newsletter distribution" is a third. This provides clarity and makes updates easier.

Use a dedicated tool rather than spreadsheets. Spreadsheets are difficult to maintain, lack version control and quickly become unmanageable as the number of processing activities grows.

Link the record to your other compliance activities. When you know your processing activities, you can more easily assess risks, carry out impact assessments and document your policies and procedures.

Maintenance and use

The record is a living document. It must be updated when you introduce new processing activities, change existing ones, switch suppliers or change purposes.

Make updates a regular process. Many organisations use a quarterly review, supplemented by ad hoc updates when changes occur. Assign a responsible person for each processing activity so that accountability is clear.

Use the record actively in your internal audit. It is an obvious starting point for assessing whether your processing activities are still lawful, proportionate and secure.

During inspections, the record is typically the first document the supervisory authority requests. An up-to-date and well-structured record signals that you take data protection seriously. An incomplete or outdated record signals the opposite.

The record also supports your ability to respond to requests from data subjects. When a customer asks for access to the data you hold about them, the record gives you an overview of where to look.

Frequently Asked Questions about Records of Processing Activities

Is a record of processing activities mandatory?

Yes. GDPR Article 30 requires both data controllers and data processors to maintain a record. The exemption for organisations with fewer than 250 employees only applies to occasional processing without risk and without sensitive data. In practice, most organisations are covered.

What must the record contain?

For data controllers: name and contact details, purpose of the processing, categories of data subjects and personal data, recipients, third-country transfers, retention periods and a description of security measures.

How often should the record be updated?

Continuously, whenever processing activities change. Most organisations supplement with a quarterly review to ensure the record is complete and up to date.

Must the record be shared with the Data Protection Agency?

You must make it available to the Data Protection Agency on request. You do not need to submit it proactively, but it must be ready and up to date so that you can present it during an inspection.