What Are the Records of Processing Activities?
It is a requirement to keep a record of processing activities under Article 30 of the GDPR.
The record of processing activities outlines the processing of personal data within an organization and the details of this processing. Its purpose is to ensure that organizations are transparent and accountable for their data processing activities, and to demonstrate compliance with the GDPR.
The record serves as a central reference for all data processing activities and must be regularly updated to ensure accuracy and completeness. Maintaining a record of processing activities is crucial for organizations to fulfill their obligations under the GDPR and demonstrate their compliance to regulators and other stakeholders.
Why Have a Record of Processing Activities?
Article 30 of the GDPR requires organizations to maintain a record of processing activities, which is a legal requirement.
The record of processing activities serves as a management tool for data protection by providing an overview of the processing. When the processing of personal data is mapped to this record, it aids in complying with other requirements of the GDPR, such as implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by article 32.
The record will become the management tool to align the organization’s efforts in its GDPR compliance.
Exemptions to Having a Record of Processing Activities.
Article 30(4) exempts organizations with fewer than 250 employees from having to keep records of processing activities, but only if their processing of personal data does not:
- pose a risk to the rights and freedoms of data subjects,
- occur only occasionally, or
- involve special categories of data as referred to in Article 9(1), or personal data relating to criminal convictions and offenses as referred to in Article 10.
In practice, these exemptions are rarely relevant since legislators consider salary management or customer data processing as non-occasional processing of personal data.
Most businesses have customers, employees, or visitors to their website, making the exemption difficult to use in practice, as even a holding company might have a website.
Furthermore, this exemption would not excuse an organization from complying with other GDPR requirements. As the record of processing activities is an excellent tool for complying with GDPR rules, not having one would be counterproductive to an organization’s GDPR compliance efforts.
To be clear, you should maintain a record of processing activities. It is unlikely that you will be exempt from this, and maintaining a record is also necessary to comply with the other rules of the GDPR.
Article 30: The Records of Processing Activities
An organization, whether a data controller or a data processor, must keep a record of their processing activities. These records should be in writing and made available to the supervisory authority upon request.
The following two sections describe the requirements for records of processing activities for data controllers and data processors, respectively.
Data Controller: The Records of Processing Activities
Article 30(1) of the GDPR outlines the minimum requirements for the information that should be included in your records of processing activities when you are acting as a controller.
These minimum requirements are as follows:
- Note your organisation’s name and contact details so that the data subjects will know who the controller of the processing of their data is. If you determine the purpose and means of processing jointly with another controller, i.e. another organisation, you should also mention their contact details. In case that you have appointed a data protection officer, then you should also note the contact details hereof.
- Describe all the purposes of the processing of personal data.
- Describe the categories of data subjects, e.g. website visitors or job applicants. You must also describe the categories of personal data, e.g. special categories of personal data or general personal data and the specific data types within these categories.
- Describe the categories of recipients to whom you will disclose personal data, which could be a company subsidiary, a business partner, a tax office, etc. This also goes for recipients in third countries or for international organisations.
- Describe transfers of personal data to third countries or international organisations, and if relevant the documentation of suitable safeguards.
- Describe the criteria or time limits for erasing the different categories of personal data, e.g. when would you delete a job applicant’s data if the applicant didn’t get the job?
- Make a general description of the security measures to ensure a level of security appropriate to the risk.
Data Processor: The Records of Processing Activities
A data processor must maintain a record of the processing activities it performs on behalf of the controller. These requirements differ slightly from the controller’s requirements and are stated in article 30(2) of the GDPR.
The requirements for the record of processing activities are as follows for data processors:
- Note the name and contact details of the processor and the controller for whom the processor is acting.
- Describe the processing activities carried out on behalf of the controller.
- Describe transfers of personal data to third countries or international organisations.
- Make a general description of the security measures to ensure a level of security appropriate to the risk.
When we mention the records of processing activities going forward, we will primarily refer to the records of processing activities of the controller.
The Records of Processing Activities and Add-ons
To make GDPR compliance more manageable, we recommend adding additional categories to your records of processing activities. Although article 30 outlines certain rules for compliance and documentation, the GDPR contains many more requirements. The records of processing activities is an excellent tool for documenting compliance with all of these rules.
Expanding the record of processing activities to include additional compliance subjects can help you better implement GDPR and document your compliance. Although this may seem like more work upfront, it will save you time in the long run.
One of the complexities of GDPR compliance is the requirement to document compliance with all rules. This can be a seemingly impossible task for small businesses, but by adapting the records of processing activities, you can manage documentation of your compliance more efficiently.
We recommend maintaining a record of processing activities that covers all of the following sections.
1) Processing Activities
The first step in creating your records of processing activities is to map and define all of your processing activities. First you should describe all processes in your business where personal data is being processed.
You should define and name your processing activities to be meaningful from a business perspective and distinguishable from other processing activities, so that you do not mix them together.
For instance, a processing activity might be “customer support” or “sales outreach”. Since these activities are distinct from each other and would be carried out by different employees on different teams, it makes sense from a business standpoint to document them as two separate processing activities.
The processing activity “customer support” involves processing personal data of existing customers, while “sales outreach” involves processing personal data to acquire new customers.
They also serve different purposes and will have different legal premises.
A typical business with 50 employees may have up to 30 processing activities, while a company with 1,500 employees could have up to 100. The definition of processing activities can vary and is partly subjective, as businesses have individual needs.
Defining processing activities in a meaningful way is the foundation of GDPR compliance. GDPR documentation will be built upon these activities, and they should be the main driver in implementing GDPR into your organization to cover all your processes. More details on this can be found elsewhere.
Some processing activities are related as they may concern the same overall topic. For instance, the HR team may have the following processing activities:
- Solicited job applications
- Unsolicited job applications.
- Onboarding of new employees
- Employee performance evaluations
- Dismissal of employees
- …And many many more processing activities.
It makes sense to have these as separate processing activities in your RoPA, and not group them into one big processing activity called “HR”.
The purposes of processing job applications for a job opening and the dismissal of an employee are clearly distinguishable, and it would not make sense to try to treat them the same.
Though, it still makes sense to categorize them within an overall business category as “HR” as the HR team is ultimately the team responsible for these processes within your organisation.
So, it makes sense to add a relevant business category to your records of processing activities, e.g.:
- Customer Support
In practice, the manager of each of these business categories would be responsible for defining the processing activities within their team and to comply with GDPR for these processes.
Delegating this responsibility to the team leaders and employees is actually a very important part of complying with GDPR in practice, and is something that many companies fail to do.
3) Description of the Processing Activity
We recommend that you describe each of the processing activities in as much detail as possible, and focusing on the processing of personal data. This description will help you clarify how you define the processing activity and will help you distinguish it from other processing activities.
The description will also serve you when you need to come back to update this processing activity record. Furthermore, it will help anyone reading your records of processing activities that didn’t define the activity themselves e.g. your CEO or organisational stakeholders.
4) Data Controller or Processor
As mentioned in the beginning, there is a difference in requirements to keep a record of processing activities whether you are a data controller or a data processor. Therefore, you should note whether you are a data controller or a data processor for each processing activity. This will help you to identify your obligations for the different activities when you look through the records of processing activities.
For instance, when you process personal data as a data processor you must follow the procedures of the data controller as you simply are processing personal data on their behalf. If you think that you might be processing personal data on someone else behalf then you should read about “data processor”.
5) Purpose of Processing
In the process of defining the purposes of the processing activities it might seem repetitive as some of these processes are similar, and might overlap slightly.
If you define the purposes of two processing activities and find that they are very similar, this might indicate that you need to combine them into one activity. However, it is not a requirement.
Example: Customer Support
Looking at the purpose of processing personal data for “customer support”, it is clear that you need basic personal data to give them the required support. You will need to identify the customer and their purchase history. In this case, the purpose of processing the personal data of the customers would be;
- To make sure that you have identified the correct customer,
- To offer a good service,
- and most importantly, to honor your terms and conditions of the purchasing agreement.
6) Other Purposes
You should also consider if you are processing personal data for purposes other than the original. If you intend to process the data further, you must provide information on this to the data subject when the personal data are obtained, according to article 13(3).
7) Information Assets and Data Processors
The GDPR requires that you process personal data in an appropriate manner. Processing of personal data typically involves using some form of software, whether it is your own software or an external software or a service provider.
Therefore, we suggest that you add information about the location of your data processing to your Records of Processing activities.
For each processing activity, you should specify the information assets that are used to process the information.
We use the term “information assets” to refer to assets that contain information, such as personal data. This includes software systems, websites, Excel sheets, data storage units, file systems, drives, mail clients, archives, and other assets used to process information.
Some information assets may be Software as a Service (SaaS), which means that the information is processed by external parties. This often means that these external parties are data processors, but we would need to check in all instances to confirm this.
Certain processing activities are often outsourced to external consultants, such as bookkeepers or marketing agencies. These individuals are considered data processors because they conduct the processing on behalf of the data controller.
It is important to determine whether data processors are involved in processing activities to ensure that the processing of data is GDPR compliant when carried out on your behalf.
Mapping your information assets and data processors can help your company understand data flows within systems and ensure proper management. This mapping also provides an organized view of contracts and suppliers, which can improve procurement and contract management.
8) Data Volume
For all data processing activities, it is important to note the number of people whose data is being processed and add this information to your Records of Processing Activities (RoPA). This will clarify the activity’s importance and priority in your GDPR compliance efforts, and help with your risk assessment. An approximation of the data volume is sufficient, so there’s no need to get bogged down in the details.
The data volume also provides valuable insight to the company’s management regarding the distribution of data processing among each processing activity.
9) Personal Data
You should list all types of personal data being processed for each activity. This will ensure full transparency of the processing activity. Additionally, this information can be used to fulfill your obligation to inform the data subjects of your processing and for your risk assessment of the activity.
Here are some suggestions for the types of personal data that could be added:
- First name
- Last name
- Middle name
- Race or ethnicity
- Marital status
- Job title
- Company name
- Work email address
- Work phone number
- Home phone number
- Emergency contact information
- Medical diagnoses
- Medical treatment information
- Prescription information
- Geolocation data
This transparency will make you more aware of where and how you process data, and whether it is necessary to process the data given the purpose of the activity.
10) The Categories of Data Subjects
You must describe the categories of data subjects in the records of processing activities.
Examples of categories of data subjects could be:
- Kids under 16 years of age.
- Criminals, etc.
This information is helpful from a compliance perspective because certain categories of data subjects require greater care when processing their data. For example, processing data of children under 16 years of age might pose a higher risk and require more awareness of the implications when they share their data.
11) Categories of Personal Data
You must also register the categories of personal data in the records of processing activities.
These categories of personal data are:
- Personal data (or general personal data).
- Special categories of personal data
- Personal data relating to criminal convictions and offences.
Special categories of personal data are also referred to as sensitive personal data and cover the following categories:
- Race and ethnic origin
- Political beliefs
- Religious or philosophical beliefs
- Trade union affiliation
- Genetic data
- Biometric data for unique identification
- Health information
- Sexual relationships or sexual orientation.
Personal data relating to criminal convictions and offenses could be the criminal records of a person or even the prisoner’s address as the home address would be at the prison, and will therefore imply that the person has a criminal record.
A person’s email address, telephone number, address, social media handle, etc., is personally identifiable information, but these personal data are usually non-sensitive. These data are non-sensitive because they are not categorized as such in article 9 of the GDPR.
Special consideration should be given to the processing of sensitive personal data. In practice, this entails ensuring appropriate measures are implemented in compliance with article 32.
12) Legal Basis for Processing
Article 30 does not explicitly state that you should register the legal basis for processing personal data in the records of processing activities. However, according to Articles 13-14, you must provide the data subject with information about the legal basis for processing at the time when personal data are obtained.
Therefore, it is good practice to record the legal basis of your data processing activities in your records of processing activities. This ensures that such information is readily available for all of your processing activities.
Furthermore, noting the legal basis in the RoPA helps you to document that you are complying with the GDPR, which is a requirement according to article 5 of the GDPR.
You should always have a legal basis for processing personal in article 6 of the GDPR – otherwise your processing of personal data would be illegal. A typical business will be able to use the following legal basis for processing personal data:
- Article 6(a) ‘consent’.
- Example: When someone signs up for your newsletter, they need to provide consent for you to send them the email newsletter.
- Article 6(b) ‘contract’.
- Example: When entering into a contract with a customer, it is often necessary to process data about that customer.
- Article 6(c) ‘legal obligations’.
- Example: For accounting purposes, accounting laws require you to process invoices and similar documents.
- Article 6(f) ‘legitimate interests’.
- Example: Monitoring web activity within an organization can be a legitimate interest for IT security purposes.
Sensitive Personal Data.
If you process sensitive personal data, you must have a legal basis for processing under article 9 in addition to article 6. Therefore, it is necessary to have a legal basis in both article 6 and article 9 of the GDPR.
This would suggest that you should also add your legal premise for processing sensitive personal data to your records of processing activities when this might be the case.
A typical business may process sensitive personal data about their employees if it pertains to a health issue involving the company, such as an employee being on sick leave. It may also be relevant for the organization to register whether an employee is a member of a certain trade union. These examples of sensitive personal data can be processed on the legal basis of Article 9(2)(b), as the employer must comply with employment legislation and its social security obligations.
13) Related Laws
Business activities are often impacted by various laws such as employment regulations, construction laws, consumer laws, and more. These laws may require organizations to process personal data in certain ways, such as maintaining a minimum required storage duration.
Therefore, it would be helpful to include any information about related regulations that cover the processing activity.
14) Data Source
In the context of the GDPR, it is necessary to distinguish between obtaining personal data directly from the data subject or other third parties.
When personal data is obtained from the data subject, you need to provide information about the processing of personal data following article 13 and, when obtained through other means, following article 14.
When personal data have not been obtained from the subject, you are obliged to inform from which source the personal data originate and, if applicable, whether it came from publicly accessible sources.
So, by keeping a record of this information, you can use this as an indicator of what information you should provide the data subject upon obtaining their data.
It will be your checklist of how to comply with articles 13 and 14 for all your processing activities.
15) Data Collection Methods
The requirement of articles 13-14 is that you provide information to the data subject at the moment of collecting their data for the processing activity. Therefore, you should track how you provide this information in practice, so that you can ensure compliance in these cases.
For instance, the data collection could be obtained from a contact form on a website, when a customer signs up for the newsletter. It could also be obtained through a telephone conversation between a customer service agent and a customer who is making a complaint.
The GDPR requires you to document your compliance. By keeping a record of the sources used in the processing activities, you can improve your GDPR compliance documentation.
You also need to ensure that your software systems are correctly set up to provide information to the data subject and that the process of providing this information complies with GDPR. For instance, if processing is based on consent, you must be able to demonstrate that the data subject has given consent to process their data, and that you have provided them with information about your processing of their data at the time of collecting these.
16) How Is Information Provided to The Data Subject?
It is necessary to provide information to the data subject when collecting their personal data, and to manage this effectively, you should specify how this is done.
Your processing activities will likely have different ways of collecting data and, therefore, also distinct ways of providing the necessary information to the data subjects.
There are many other ways, and they depend on your specific data processing.
Adding this information to your records of processing activities helps you document GDPR compliance.
17) Disclosure of Personal Data
If you plan to disclose data to another recipient, you must inform the data subject at the latest when the personal data are first disclosed.
Example of disclosure: A medical doctor may need to disclose a patient’s medical records to an insurance company or social security in order for the patient to receive support.
18) Third Parties Access to Personal Data
Do you hire consultants in marketing, accounting, IT, artificial intelligence or lawyers? Then they could get access to your company’s personal data when providing their service.
They are external parties as they are not employed within your organisation. As external parties are not part of your organization, you should limit their access to personal data under your control. Additionally, any external parties processing personal data within your control should receive guidelines on how to process personal data, be trained in these guidelines, and be held accountable through a contract.
Consider whether the external parties who process personal data on your behalf are classified as data processors. If they are, you will need to comply with GDPR rules that apply to data processors. Among other things, you will need to sign a data processing agreement.
The external parties could also simply be contractors who have access to personal data, but without processing the data being the purpose of their work, ie. they wouldn’t be data processors. This could be the case for occasional hardware repair professionals, IT supporters, marketing freelancers, lawyers, accountants, temporary workers, and so on.
These contractors fall somewhere in between being data processors, employees, and controllers in their own right. To ensure accountability and compliance with your policies for processing personal data, you can have the contractor sign a confidentiality agreement.
It is important to document when external parties have access to your processing activities in your records. This allows you to assess the roles of each professional involved in the processing activities. By doing so, your records of processing activities can become a useful management tool for GDPR compliance.
19) Transfers to Third Countries
Third countries, with respect to the GDPR, refer to any countries outside the EU or the EEA (Norway, Iceland, Liechtenstein).
Examples of third countries are USA, China, India, Australia, Canada, and many others.
A transfer of personal data occurs when personal data is processed in third countries. This could involve having reading access, storing information, or editing information.
Many commonly used software solutions are either owned by companies based in the USA or make use of servers hosted by companies based in the USA, such as Amazon Web Services, Microsoft Azure, or Google Cloud, to process their data. Using these solutions often involves transferring personal data to a third country, indicating that such transfers are commonplace.
When transferring personal data to third countries, you need to have a legal basis for doing so. Therefore, it is important to assess all processing activities for transfers to third countries, including transfers to partners, subdivisions, contractors, software providers, and so on, that are located in third countries.
20) Legal Premise for Third Country Transfer
If you have identified that you transfer data to third countries, you will need to determine how to comply with the conditions specified in Chapter 5 of the GDPR. These conditions require you to have a legal basis for any transfers to third countries.
Chapter 5 of the GDPR provides the following legal bases for transfers to third countries:
- Article 45: Transfers on the basis of an adequacy decision
- Article 46: Transfers subject to appropriate safeguards
- Article 47: Binding corporate rules
- Article 48: Transfers or disclosures not authorised by Union law
- Article 49: Derogations for specific situations
This is a complex topic, but for most small businesses, transfers are made on the basis of an adequacy decision (article 45) or with appropriate safeguards in place (article 46).
21) Storage Limitation
When documenting your processing activities, it is a requirement to document the “envisaged time limits for erasure of the different categories of data.” Therefore, you must include this information for all your processing activities.
The GDPR also requires the erasure of personal data once it is no longer necessary for processing purposes, in accordance with the principle of storage limitation outlined in Article 5.
Limitations on the storage of personal data can be challenging requirements for businesses, so it is important to approach them diligently.
To ensure compliance with GDPR in your daily workflow, you also need to determine how to delete this data. There are two aspects to consider:
- What event or action indicates that the processing of personal data is no longer necessary for a processing activity?
- For example, when a user cancels a paid subscription.
- How long will you store personal data after the triggering event?
- For example, the user’s profile will be deleted immediately after cancellation.
Setting the Retention Period
You are required to establish a retention period for processing activities, so this will ensure that personal data is not stored when the processing purposes are no longer valid.
The retention period for personal data can be determined by various factors, such as legal requirements, business sector guidelines, or a proper assessment of when you no longer need to process the personal data for your processing activity.
For instance, the retention period could be as short as 0 days or as long as 5 years, after which you would need to erase the data.
Once you have determined the retention period, the next question to consider is: what triggers the start of the retention period?
Setting Retention Triggers
It is important to determine the trigger for when to start counting the retention period in order to properly process personal data. Once the trigger event occurs, the clock for the retention period should start running.
- A user cancels a paid subscription.
- A newsletter subscription is cancelled.
- An annual report is published.
- A service has been delivered and completed for the customer.
These events should trigger your deletion policies for each of these processes, so that personal data is deleted when it is no longer necessary.
To comply with GDPR’s storage limitation principle, it’s important to delete personal data from your systems and document the process, as documenting compliance is a requirement in itself.
By adding the above-mentioned information to your records of processing activities, you have made progress in documenting deletion. However, to fully comply with GDPR regulations, you should also include a deletion procedure in your GDPR compliance plan.
A deletion procedure can help you and your colleagues to ensure that data is permanently and irrecoverably removed. The procedure should include a description of the technical process of deletion, who performed the deletion, when it should be deleted, when it was done, and the method used. This is particularly important when data is held in multiple locations or formats, such as an accounting software or an Excel sheet.
You can either add a link to your deletion procedure in the records of processing activities or include the description directly within the records of processing activities.
Profiling refers to the automated processing of personal data to analyze or predict a person’s behaviors and preferences. Profiling can be used by, for example, health insurance companies to evaluate the health risks of a client, or by banks to assess creditworthiness.
If you perform profiling on clients, employees, etc., article 30 requires you to document this in the records of processing activities.
23) Automatic decisions
If you make automated decisions based on profiling, it is necessary to note this in your records of processing activities.
24) Risk Assessment
While the GDPR does not explicitly state that you must conduct risk assessments of your processing activities, articles 24, 25, and 32 indirectly require you to do so.
These articles mandate that the data controller take into account “the risks of varying likelihood and severity for the rights and freedoms of natural persons” and that “the controller shall implement appropriate technical and organizational measures.”
In order to implement the required appropriate technical and organizational measures, your company must assess what “appropriate” means in the context of the specific processing activity. This will be achieved by conducting a risk assessment of the processing activity.
Risk assessments are also important for your GDPR compliance as they document your considerations. As such, they should be included in your Records of Processing Activities, which is your most important tool for complying with GDPR.
25) Organisational and Technical Security Measures
Article 30 also requires you to include a general description of the technical and organizational security measures referred to in Article 32(1).
This means that for every processing activity, you should consider what security measures would ensure an appropriate level of security in light of the risk of infringement on the rights and freedoms of the data subjects.
You can add this description directly to your Records of Processing Activities or link to your Information Security Policy, which should cover it. It is important to have sufficient security measures that cover each of your processing activities.
We recommend creating a general information security policy that covers your entire organization. This policy should outline your overall security measures, such as the use of surveillance cameras, access to premises, and antivirus software.
We recommend creating a policy for each processing activity that outlines the security measures and procedures specific to that activity. For example, a policy could detail how to communicate with customers via email. You can add this policy directly to the Records of Processing Activities, or create a separate policy and link to it from the RoPA.
There may be several procedures relevant to a processing activity, and to keep track of them, we suggest adding a link to the records.
This is part of your overall compliance documentation and will make management easier.
27) Process Owner
For every process in your records of processing activities, you should appoint a process owner and add their name to the record.
The process owner will be responsible for introducing appropriate security measures for the processing activity and ensuring that the documentation is up to date. They do not have to be a GDPR expert, but should work closely with the GDPR manager of the company.
Any changes to the processes should be checked with the GDPR manager to ensure that the new practices and documentation are GDPR compliant.
28) Audit Log
Whenever you make changes to your records of processing activities, you should include, at a minimum, the date of the change and the person responsible for the changes. Doing so will help demonstrate your ongoing updates of the GDPR documentation, which is necessary for GDPR compliance.
In addition, it will facilitate internal dialogue within the company about changes to the records of processing activities, and provide documentation in case of any doubts.
29) Outstanding Tasks
Creating records of processing activities will require mapping out numerous processes, which will generate ongoing GDPR-related tasks.
To keep track of these tasks, we recommend adding them to the record along with the specific processing activities they relate to.
In this article we have explained in detail how to create the records of processing activities, so that it would be both GDPR-compliant and useful for your GDPR-compliance. We have added several subjects to the records of processing activities which we find necessary to become GDPR-compliant.
We hope that you will recognize that the records of processing activities can be fruitful for your GDPR-compliance, and absolutely necessary to be able to manage the ongoing requirements to your organization.