Record of processing activities: how to build it and keep it updated

Record of processing activities: how to build it and keep it updated

Audit for scouting the processing of personal data

First draft of the Record(s) of processing activities

Verification and revision together with the Client

Training on the modalities for the proper updating, retention and use of the Record of processing activities

The record of processing activities is an essential tool not only to obtain an update framework of the existing processing within an organization or a public body, but it is also fundamental for every assessment and analysis of the risk (further requirements required by GDPR in the light of accountability).

How is it possible to think to be able to demonstrate the adoption of all the necessary measures in order to ensure the compliance with privacy laws if we are not even able to know with certainty which processing are carried out in the company, with which modalities and protected by which security measures?

For this reason the DPA, in its Guideline on the application of the EU Regulation on the protection of personal data believes that “the record of processing is not a formal requirement but a component of a proper personal data management system”, inviting all the controllers and processor, regardless of the organization’s dimensions,  to take the necessary step to adopt said record.

The Data Protection Authority thus, addresses all the parties involved, regardless of the size of the organization!

Yes, because art. 30 of GDPR exempt from the requirement the organizations employing fewer than 250 persons “unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10”.

As already mentioned, in accordance with the DPA recommendation, it is our Firm opinion that the record of processing activities is the essential starting point for every organization for adopt whatever strategy to ensure compliance in the data protection field.

Art. 30 of GDPR, in addition to request that the record shall be in writing, including in electronic form and that shall be made available to the supervisory authority on request, provides for a list of mandatory information to be included in the record:

  •  the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  • the purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

It is of course the list of the essential information that must be listed within the record. Since, however, this document must not be considered as a mere formality, on the contrary it is an operative tool, it is suggested to add every information useful to the controller or the processor in order to correctly manage the privacy aspects of the processing.


To discover the “Easy Privacy” service click here

Contact us. We are available for a comparison without obligation.

I have read the information provided pursuant to art. 13 EU Reg. N. 679/2016 "GDPR" and available at the following link




I have read the information provided pursuant to art. 13 EU Reg. No. 679/2016 "GDPR" and available at the following link
Chiamaci per un primo contatto