GDPR processing activities log: obligations, content, and expert advice
A key GDPR tool, the processing log records the use of personal data, guiding organizations in their compliance efforts and helping them avoid heavy penalties.
The processing activities register, also known as the "processing register," documents activities involving personal data as required by the GDPR.
It is used to record:
- The purposes
- The legal bases
- Retention periods
- The recipients
Every area of activity is concerned, including insurance, healthcare, local authorities, media, industry, and e-commerce. The register facilitates risk management and the organization of actions to be taken.
Tools such as Adequacy enable collaborative, audited management thanks to their Register module. We consider it to be the cornerstone of compliance management. It provides structural support for managing compliance on a daily basis.
What is a processing record under the GDPR?
Article 30 of the GDPR provides for the processing record, which is a document that lists and analyzes all personal data processing carried out within an organization.
It provides an overview of the processed data, its intended use, the categories of data subjects, the data recipients, any transfers to third countries, the retention periods, and the implemented security measures.
This register is mandatory for data controllers and processors, except for companies with fewer than 250 employees under certain conditions.
The processing record is a tool for managing GDPR compliance that enables the identification and prioritization of risks related to personal data processing.
Why is it mandatory? (Article 30 of the GDPR)
Article 30 of the GDPR requires the processing register. It replaces the former obligation to notify the authorities in advance.
The processing register must be kept up to date and presented to the supervisory authority upon request. The register applies to all controllers and processors, with specific exceptions for small organizations. Therefore, it is a tool for managing GDPR compliance.
Who is affected by this obligation?
All organizations that process personal data are required to keep a processing register, regardless of their size.
However, companies with fewer than 250 employees are exempt. This exemption does not apply if the processing is not occasional, involves sensitive data, or poses a risk to the rights and freedoms of the individuals concerned.
Therefore, even small organizations must assess their processing activities to determine if they are required to keep a record in accordance with Article 30 of the GDPR.
What information must a processing register contain?
Mandatory information to be provided
The data controller (DC) determines the purposes and means of processing. The register kept by the DC must include the following:
- The name and contact details of the DC, any joint controllers, the representative (if applicable), and the DPO;
- Purposes of the processing
- Categories of data subjects and categories of personal data
- Categories of recipients (including transfers outside the EU)
- Transfers of data to a third country or international organization and the appropriate safeguards.
- Time limits for erasure of the different categories of data
- General description of technical and organizational security measures (Article 32 GDPR).
The register must be written, updated regularly, and presented to the CNIL upon request. It is a key tool for managing GDPR compliance.
The subprocessor (SP) acts on behalf of the controller (CP) and keeps a simplified register containing the processing operations carried out for each CP, including transfers outside the EU and security measures. Depending on the use case, an organization may be both a CP and an SP (e.g., internal payroll and services for a customer).
This register allows data controllers to demonstrate compliance and respond to requests from the CNIL or the organizations for which the processor acts.
Register the template proposed by the CNIL
The CNIL has proposed a simplified spreadsheet template. It includes columns such as: name of the processing operation, purpose, legal basis, categories of data subjects, types of data, recipients, transfers, retention period, security measures.
Il comporte des colonnes telles que : nom du traitement, finalité, base légale, catégories de personnes concernées, types de données, destinataires, transferts, durée de conservation, mesures de sécurité.
How to create and maintain your processing register ?
Creation steps: mapping, documentation, and updating
To create a compliant register, start by mapping all data processing operations. Then, document each operation.
For each mapped operation, identify its purpose, data categories, retention period, legal basis, security measures, and recipients. Then, document each processing operation using a clear template, such as the one provided by the CNIL.
Then, document each processing operation using a clear template, such as the one provided by the CNIL. With this in mind, Adequacy has created a specific register module tailored to the needs of private companies, public bodies, and associations in line with all CNIL requirements.
Remember to update the register regularly in the event of any changes, such as new processing or contract amendments.
Tools and software that facilitate processing and register management
Excel files quickly reach their limits due to frequent errors, a lack of collaboration, and a lack of traceability.
Tools such as Adequacy enable collaborative management with automatic alerts, change tracking, and a clear interface. These features make the register more reliable, secure, and accessible to all stakeholders.
What is the right level of detail for a processing register?
This is probably the most difficult question when setting up a register.
Experience shows that, for an average company with 500 employees, a cross-functional area (HR, finance, communication, etc.) is divided into around ten activities.
A processing record in the register lists data categories such as pay stubs, employee contact information, and career history.
To learn more about this topic, watch a clear video explaining the two golden rules for ensuring your register has the right level of detail.
Examples of Processing Records by Domain
Human Resources (HR) Processing Register
This includes personnel management, such as payroll and absences, as well as recruitment, interviews, and training.
These processes handle sensitive data such as social security numbers, health information, and union membership.
The register must list the service providers (HRIS and external firms) and the retention periods.
Healthcare Processing Register
Healthcare institutions manage medical records, appointments, third-party payments, and teleconsultations. Sometimes they also manage data warehouses.
The data processed is highly sensitive, including health status and treatments. Hosting must be HDS-certified. The legal basis is usually public interest.
The register must include the flows, the actors involved, and the necessary impact analyses.
Processing registers for local authorities
Local authorities process data related to civil status, urban security, school enrollment, and social assistance. This processing is based on legal obligations or public interest.
The register must document who has access to it (municipal officials and service providers), how long the data is retained, and security measures such as video surveillance.
Penalties for failure to maintain records
According to Article 30 of the GDPR, all data controllers, including organizations with fewer than 250 employees in certain cases, must maintain records of processing activities. Failure to do so constitutes a formal violation of the regulation, even if no data breach has occurred.
This may result in an administrative penalty of up to 2% of global annual turnover or €10 million, whichever is higher (Article 83.4.a). The CNIL considers the register a fundamental tool for managing compliance; its absence reflects a lack of governance.
Specific examples of grounds for rejection
- Complete absence of a record of processing activities.
- An incomplete or obsolete record that does not reflect actual processing operations.
- The record was not made available to the authority during an inspection.
- No mention of the legal basis, purposes, or recipients.
- The register is not compliant with the requirements of Articles 30.1 and 30.2 of the GDPR, depending on whether you are the controller or processor.
Indicative amounts of fines imposed
Examples of penalties for failing to keep records
Examples of penalties for failure to maintain a register
France – CNIL: Local Authority (2022)
- Reason: No processing register and no legal basis.
- Penalty: €30,000 fine.
- Aggravating circumstances: Sensitive data (health and social) was processed, and a Data Protection Officer (DPO) was not appointed.
Spain – AEPD: Large company in the private education sector (2021
- Reason: The register did not mention the legal bases or retention periods.
- Penalty: €40,000 fine.
- Comment: The authority deemed the inaccuracy of the register to be indicative of a lack of control over GDPR management.
Italy – Guarantor: Regional public institution (2020)
- Reason: Lack of a register or documentation on the purposes of processing.
- Penalty: €75,000 fine.
- Aggravating factor: Failure to cooperate with the authority during the audit.
Germany – BfDI: Technology company (2019)
- Reason: incomplete records and unreported mass processing (e.g., tracking and advertising).
- Penalty: €60,000 fine.
- Specificity: The German authority emphasized the obligation of transparency.
Q&N
- What is a record of processing activities?
It is a detailed list of all activities involving personal data within an organization. It is required under Article 30 of the GDPR.
- Why is it mandatory?
Failure to maintain a processing record can result in substantial GDPR penalties, even in the absence of a data breach. Supervisory authorities, such as the CNIL in France, will likely inspect organizations to ensure they are keeping and updating records. Additionally, the GDPR requires all processing activities to be documented to demonstrate ongoing compliance.
- Who is affected by this obligation?
Organizations with 250 or more employees must keep a record. However, organizations with fewer than 250 employees must also keep a record of processing activities if they process sensitive data on a large scale or in connection with legal obligations.
- What must a processing record contain?
It must indicate the purpose, legal basis, data categories, recipients, retention period, and security measures. Article 30.1 of the GDPR sets out the expected content for the register of a data controller, and Article 30.2 sets out the expected content for the register of a processor.
- Can the management of the register be outsourced?
The register is usually maintained by the DPO (Data Protection Officer), who may be internal or external to the organization. In any case, the data controller remains legally responsible to the CNIL.
- What is the recommended update frequency?
The register must be updated at least once a year. Any changes to a processing record must be updated as soon as possible.
- Is it necessary to create a specific register for human resources (HR)?
Human resources management is a priority issue in all organizations. It concerns all employees and involves sensitive data such as date of birth, personal circumstances, bank details, and health data. However, each department must keep a record of all processing activities whenever personal data is processed (collection, use, storage, communication, etc.).
- Is the register useful for strategic management?
Yes, the register is essential for establishing an internal data protection culture. It enables strategic actions to be prioritized, risks to be anticipated, and GDPR compliance governance to be structured. What is the English term for the register of processing activities? The term used in English is ROPA (Register of Processing Activities).
- What is the English term for the register of processing activities?
The term used in English is ROPA (Register of Processing Activities).
