Lexicon > Register of processing activities

IT Glossary

Register of processing activities

The register of personal data processing activities contributes to documenting the compliance of controllers and processors, particularly with regard to their accountability.

It allows to list the personal data processing operations carried out by the organization and thus to have an overview of these operations.

Each controller must establish and maintain a register of processing activities that includes at least the following information:

  • The name and contact details of the controller and, if applicable, the joint controller, the controller’s representative and the data protection officer;
  • A description of the categories of data subjects and categories of personal data;
  • Categories of recipients to whom personal data have been or will be disclosed;
  • If possible, the timeframes for the deletion of the different categories of data;
  • If possible, a general description of the technical and organizational security measures.

Processors, for their part, must establish and maintain a separate register of processing activities that includes at least the following information:

  • The name and contact details of the processor(s) and of each controller on whose behalf the processor is acting and, where applicable, of the controller or processor, and those of the data protection officer;
  • The categories of processing carried out on behalf of each controller;
  • Where applicable, transfers of personal data to a third country or to an international organization;
  • If possible, a general description of the technical and organizational security measures.

Organizations with fewer than 250 employees may only include in their register of processing activities those processing operations that are likely to present a risk to the rights and freedoms of data subjects, if they are not occasional or if they involve special categories of data.

In practice, this exemption is therefore particularly limited and it is therefore recommended to document all the treatments implemented independently of this exemption.


In order to demonstrate compliance with this Regulation, the controller or processor should maintain records for the processing activities for which it is responsible. Each controller and processor should be required to cooperate with the supervisory authority and to make such records available to the supervisory authority, upon request, for the purpose of monitoring the processing operations.

Recital 82 of the GDPR

Point of jurisprudence

The Belgian supervisory authority considers that ” This register of processing activities is an essential tool for accountability, i.e. the principle of responsibility of the controller already mentioned (Articles 5.2. and 24 of the GDPR) (as well as, indirectly, of the processor9 ) and which underlies all the obligations imposed on him by the GDPR.

Indeed, in order to effectively apply the data protection rules contained in the GDPR and the obligations placed on them, it is essential that data controllers (and processors) identify and have an overview of the personal data processing operations they carry out. This register is therefore first and foremost a tool designed to help data controllers (and processors) comply with the GDPR by visualizing the various data processing operations they carry out and their main characteristics “.

Data Protection Authority, April 20, 2020, No. 16/2020

The Bouchara firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.