What is a record of processing activities?

Łukasz Bonczol
The provisions of the GDPR impose an obligation on personal data controllers to keep a record of processing activities. It is documentation that includes a list of activities used by an organization to process personal data. What should such a register contain, and who exactly is obliged to keep it?

What are processing activities? Who needs a record of processing activities?

The GDPR does not specify the term "processing activity", so it is not entirely clear what should be documented in the record. This can be understood as a set of steps to achieve a specific goal in the company. Both the type of activities and the level of their detail will largely depend on the organization's industry and profile.

Examples of processing activities include, but are not limited to:

  • The usage of the software that collects and stores personal data (e.g., working time registration system, electronic access cards or video surveillance)
  • Employee recruitment
  • Training management
  • Payroll accounting
  • Sending newsletters to customers

With regard to this type of activity, the personal data controller must include in the record such information as:

  • The name and contact details of the personal data administrator and inspector
  • Purposes of personal data processing
  • Description of the categories of personal data subjects
  • Categories of recipients with whom the data is shared
  • Possible information on the transfer of data to a third country or an international organization
  • Planned dates of deletion of personal data categories
  • Description of security measures applied to the processed personal data

Although the record of processing activities is an internal document, it must be kept by any organization with at least 250 employees. Smaller companies may also be required to do so, provided that:

  • The processing of personal data for which the organization is responsible may pose a threat to the rights and freedoms of data subjects
  • Data processing by the organization is permanent and not occasional
  • The organization processes special categories of personal data (e.g., related to criminal offences or medical records)

You also need to remember that the record of processing activities should include all the images and videos where there are visible faces of people with and near your company (e.g., from video surveillance). With Gallio, you can quickly anonymize any video files without the need to share data with third parties or upload it anywhere online. Moreover, the process does not affect the quality of your video files and offers an accuracy of 98%.

To sum up, the record of processing activities is one of the basic elements of securing personal data in an organization. It allows you to conveniently and effectively manage your obligations under the GDPR. It also facilitates the ongoing verification of processes involving personal data in your company - both in legal and business terms.