Records of Processing
Home » The GDPR » Main Tools and Actions » Documentation of processing personal data » Records of Processing

Records of processing can be kept in written or electronic form[1]. So expect to either fill in an organization-specific form or enter your information into some (data protection) management system.

To provide an initial idea, the minimal content of the records of processing for controllers includes the following items[2]:

Your organization may use a different set of items since on one hand, it already is in possession of some of this information (such as the first bullet), and on the other hand, it may require additional information (such as the contact of the person responsible for the single processing activity at hand). It is possible that the legally required record keeping is combined with the management needs of the organization, such as an internal inventory of computing and computing resources.

Your organization may also use multiple systems, e.g. depending on whether it is acting as a controller or as a processor; or distinguishing between permanent data processing activities (such as communication systems and accounting) and temporary ones (such as those linked to temporary projects or assignments). The creation and maintenance of records across multiple systems is not prohibited under the GDPR.

Should you have difficulties in providing the requested information, your data protection officer (if your organization has one) may be able to help.

Checklist (records of processing)

  • Contact the office/person who is keeping the records of processing for your organization.
    • If necessary, your Data Protection Officer can help establish the contact.
  • Inform them early on that you intend to process personal data.
    • Your processing activity needs to be entered in the records before processing starts.
  • Follow their instructions of
    • what information you need to provide for the records of processing,
    • when you need to send updates of this information.




1See Art. 30(3) GDPR.

2See Art. 30(1) GDPR for more detail.

Skip to content