List of processing activities with template

by | Apr 30, 2024 | Data privacy

List of processing activities

Creating a list of processing activities sounds quite complicated. Who needs such a list? And how does it have to be done? What belongs in it?

Lots of questions … This article provides you with a simple guide on how you can implement this supposedly complex structure relatively easily.

What is a list of processing activities, anyway?

Processing activities in the sense of data protection are understood to mean all processes within a company that process personal data. Where do you, your colleagues or your employees come into contact with information which refers to people? Examples are payroll accounting, employee administration, but also, for example, an itemized telephone record. If your customers are end users, then you probably have their addresses, e-mail contacts, payment data, purchasing behaviour and much more.

In the record of processing activities, you have to list all the “procedures” in which you enter or process this data.

This list varies in length depending on the company. It makes a difference whether you are a solopreneur or are creating the procedure directory for a large company. Are your customers business customers or end consumers? For business customers, some procedures are omitted, since a business customer only partially discloses personal data in business transactions.

Who needs a record of processing activities?

(Almost) without exception, every company, entrepreneur and self-employed person is responsible for keeping an overview of procedures. In theory, there is an exception in Article 30 of the GDPR. According to paragraph 5, a list of processing activities must only be drawn up for 250 employees or more in a company. However, when reading the complete article, you learn that if the processing is not only carried out occasionally, then it must be entered in the procedure directory.

Regardless of whether you have/need a data protection officer or not – you always need the directory. Except if, as just mentioned, you only process “occasionally”.

By the way, this requirement for a list of processing activities is not new. It existed before and didn´t just come with the GDPR. If you already have established a functioning data protection system in your company, this will not surprise you.

Who creates the list of processing activities?

Who then is responsible for creating the record of processing activities? As so often, it is the person responsible for data processing – the entrepreneur or managing director. In legal terms, “the responsible body”.

Who gets to do the work in practice, however, is a different story. As data protection officer I take over the coordination of the creation for “my” client companies and support them in the process. Afterwards, I always review with the management, because management is the responsible department and the one who has to account for it. Of course, we do not go through all procedures in detail. However, I consider it important to discuss the risks that remain at the end of the process. But more on that later.

Depending on the size of your company, you should try to find the most efficient and best solution to create and maintain the list of processing activities. In the case of smaller companies or sole proprietorships, I normally meet directly with the managing director or owner and we create the record in a small question and answer interview. Then I hand over the documentation to the responsible office.

What belongs in a list of processing activities?

The content is defined in Article 30 of the GDPR. Here is a summary of the information that must be included:

  • name and contact of the person responsible
  • purpose of the processing, i.e. the WHY.
  • which groups of persons are affected and which data is affected?
  • to whom this data is made available (internal, external, also third countries)
  • description of the transfer to the third country (is this legally guaranteed)?
  • planned time limits for data deletion (if possible)
  • general description of the technical security of the data (if possible) 

You must document this information for your own processing. However, you must also provide the same information if, for example, you are processing data for your customers. Example: If you run payroll internally for your employees, then this is a procedure which needs to be documented. If you also perform payroll accounting as a service provider for your customers, then you must also document this. Technically speaking you are then working as an order processor. I recommend that you describe this procedure twice in the list of processing activities.

Are there any “standard procedures”?

I wouldn’t necessarily call it “standard procedures”, but in any case there are procedures which occur regularly and in almost every company. Let´s take a look at which ones they are.

Do you have employees? Then of course you always have all the processes around employee administration: applications, payroll accounting, PC access and so on. But even without employees, there are recurring procedures. Just think of the Internet presence: E-mail marketing via newsletter and the analysis of the visitor behaviour of your website are two examples of recurring procedures.

What does a model list of processing activities look like?

Of course, you can buy special software. But in many cases this would be like shooting sparrows with cannons. I recommend the use of a simple excel list with the following columns:

  • name of the procedure
  • as processor (y/n)
  • record date
  • name of the person in charge
  • E-mail of the person in charge 
  • telephone number of the person in charge
  • description of the processing / purpose
  • groups of persons concerned
  • data concerned
  • recipient of the data
  • recipient of the data in a third country
  • description of the security of the data transfer to the third country
  • deletion period
  • description of the IT security of the data
  • description of the physical security of the data 

Of course you can add any columns to this Excel list. This is my just my recommendation for creating a list of processing activities in a simple and compact way, according to article 30 GDPR. If you use these fields it takes relatively little effort to describe the procedures.

Here you find a template as Excel, which you are welcome to use.

List of processing activities
PIn it!

Download template for procedure directory in Excel 

Download template for list of processing activitiesDownload

Procedure for filling out the list

Depending on the size of your company, you fill out the list either alone or together with your colleagues. In larger companies, the data protection officer has to take care of it. With my customers, I prefer to create the list of processing activities during interviews. I interview with the department heads and inquire about their processes with regard to the processing of personal data. It turns out relatively often that a third party is involved in the procedure as an external processor. This information is valuable for the preparation of contracts for commissioned data processing. Add this note to your documentation in a corresponding place.

As a general procedure, I recommend that you simply go through the different processes of the company. Even if you do not have a documented QM system, you do have processes that you carry out on a regular basis. Go through them in your mind and record the processing of personal data in the list.

Tell us your experience

Are you already working on a list of processing activities? How have you done so far? Where are your biggest hurdles in practice?

We appreciate your comment.

Do you need any help?

We would be happy to assist you in implementing the DSGVO requirements in your company. 

Let me and my team be your mentors! Write us an e-mail!