Processor's record of processing activities

Organisations are obligated to draw up a written description of their personal data processing. This description is called a record of processing activities.

The obligation to draw up a record of processing activities applies to all organisations with more than 250 employees. Smaller organisations are also required to draw up the record if

  • the personal data processing for which the organisation is responsible is likely to pose a risk to the rights and freedoms of data subjects
  • the organisation's processing of personal data is not occasional or
  • the organisation processes special categories of data, or personal data relating to criminal convictions and offences.

Processor refers to a natural person, legal entity, public authority, agency or other body which processes personal data on behalf of the controller.

It does not refer to employees working for the controller (or processor), but is typically another organisation contracted to perform data processing services on behalf of the controller.

Template for processors: record of processing activities (Excel, 18 KB)

The record drawn up by the processor is required to state the following information