Generally speaking, every organisation should keep a record of their processing activities. This is an inventory of all processing operations and can help you make correct assumptions of your responsibilities under the GDPR and possible risks.

Each of these processing operations must be described in the record with the following information:

• the purpose of the processing (e.g. customer loyalty);
• the categories of data processed (e.g. for payroll: name, first name, date of birth, salary, etc.);
• who has access to the data (the recipients – e.g.: the department in charge of recruitment, the IT service, management, service providers, partners...);
• where applicable, information related to transfers of personal data outside the European Economic Area (EEA),
• where possible, the storage period (the period for which the data are useful from an operational point of view, and from an archiving perspective).
• where possible, a general description of the security measures.

The record of processing activities falls under the responsibility of your organisation’s manager.

This record must be available to the data protection authority of the EEA country where you operate, if requested.

It is not required for organisations employing fewer than 250 persons to mention purely occasional activities in their record (e.g. data processed for one-off events such as the opening of a shop).

More information:

• Be compliant