GDPR Processing Register: Mandatory or Not?
Technically mandatory from 250 employees, the processing register is in practice indispensable for any organization that manages customer or HR data. Here is what to include, a simplified template for SMEs, and the 5 processing activities you inevitably have.
Article 30 GDPR: what it actually says
Art. 30 GDPR requires every data controller to keep a record of processing activities. The theoretical exception for organizations with fewer than 250 employees disappears as soon as one of these three conditions is met:
- The processing is likely to present a risk to the rights and freedoms of individuals (health data, surveillance, extensive profiling)
- The processing is not occasional (a monthly newsletter, a continuous CRM = not occasional)
- The processing concerns sensitive data (Art. 9) or data relating to criminal convictions
In practice, virtually all SMEs meet at least the second condition (non-occasional processing: CRM, newsletter, billing, HR). The register is therefore de facto mandatory for the vast majority of French companies, regardless of their size.
The CNIL explicitly recommends that all companies, even below 250 employees, keep a processing register. It is the basic tool for demonstrating compliance (accountability, Art. 5(2) GDPR).
The 8 mandatory pieces of information per processing activity
For each processing activity, the register must contain the following elements:
Start your register with your site's cookie audit
RGPDScan detects all active sub-processors (analytics, advertising, support) to document in your register.
Simplified template: the 5 classic processing activities of an SME
Here is a directly usable template for the 5 processing activities that every SME has. Simply adapt the information to your context.
| Processing | Purpose | Legal basis | Duration |
|---|---|---|---|
| CRM / Prospects | Commercial relationship management | Legitimate interest | 3 years after last contact |
| Billing / Customers | Contract performance, tax obligations | Contract + legal obligation | 10 years (accounting limitation) |
| Newsletter | Commercial communication | Consent | Until unsubscription + 3 years |
| Human resources | Employee management, payroll | Contract + legal obligation | 5 years after departure |
| Video surveillance (if applicable) | Premises security | Legitimate interest | 1 month (CNIL) |
How to keep the register up to date
A static register is of little use. Best practices to keep it alive:
- Annual review — Each new year, review all processing activities. Remove abandoned ones, update sub-processors and durations.
- Update triggers — Any new SaaS tool adopted, new provider accessing data, new feature collecting data should trigger an update.
- An identified responsible — Name one person as owner of the register (DPO, CTO, legal manager). Without an identified owner, the register becomes outdated.
- Link with DPIAs — High-risk processing activities in the register should reference the corresponding Data Protection Impact Assessment (DPIA).
Going further
- GDPR compliance checklist 2026
- GDPR sub-processor DPA: the missing clause
- Internal GDPR audit: the 7-step method
- Tools to manage your processing register
- CNIL fines 2026: what exposes your site