What is a Record of Processing Activities? What should it include?

The new European General Data Protection Regulation (GDPR), which requires mandatory compliance from 25 May 2018 includes numerous obligations and novelties.

The new GDPR removes the obligation to notify the Spanish Data Protection Agency (AEPD) about the files. Instead, an obligation to maintain a Record of Processing Activities is established in certain cases.

What is a Record of Processing Activities? 

According to Sections 1 and 2 of Article 30 of GDPR:

  • Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.
  • Each processor and, where applicable, the processor’s representative, shall maintain a record of all categories of processing activities carried out on behalf of a controller.

What information should the Record of Processing Activities contain?

The Record of Processing Activities of the controller must contain the following information:

  • The name and contact details of the controller and where applicable, of the co-controller, of the representative of the controller and of the data protection officer.
  • The purposes of processing.
  • A description of categories of parties concerned and of the categories of personal data.
  • The categories of recipients to whom the personal data is communicated or will be communicated, including the recipients in third countries or international organizations.
  • Where applicable, the transfers of personal data to a third country or an international organization, including the identification of the said third country or international organization and in the case of mentioned transfers in the Article 49, section 1, second paragraph, the documentation with appropriate guarantees.  
  • Where possible, the deadlines set for the deletion of different categories of data.
  • Where possible, a general description of the technical and organizational security measures referred to in Article 32, section 1.

When is it necessary to maintain a Record of Processing Activities? In what format should it be?

Contact us if you have any doubts regarding the Record of Processing Activities and we will help you resolve them!


Share this article


Article written by

Lisa Hofmann

Chief of Legal Operations de Pridatect | Especialista legal certificada en protección de datos por la institución alemana de servicios relacionados con la seguridad TUEV. Con amplia experiencia en ayudar a empresas en el cumplimiento de la privacidad.

Related articles



Would you like to receive regular updates on data protection and GDPR? Subscribe to our newsletter and you will be the first to receive our new blog articles, webinars and ebooks.

Free Webinars