Art. 30 GDPR 11 min read·

GDPR Processing Register: Mandatory or Not?

Technically mandatory from 250 employees, the processing register is in practice indispensable for any organization that manages customer or HR data. Here is what to include, a simplified template for SMEs, and the 5 processing activities you inevitably have.

Article 30 GDPR: what it actually says

Art. 30 GDPR requires every data controller to keep a record of processing activities. The theoretical exception for organizations with fewer than 250 employees disappears as soon as one of these three conditions is met:

  • The processing is likely to present a risk to the rights and freedoms of individuals (health data, surveillance, extensive profiling)
  • The processing is not occasional (a monthly newsletter, a continuous CRM = not occasional)
  • The processing concerns sensitive data (Art. 9) or data relating to criminal convictions

In practice, virtually all SMEs meet at least the second condition (non-occasional processing: CRM, newsletter, billing, HR). The register is therefore de facto mandatory for the vast majority of French companies, regardless of their size.

The CNIL explicitly recommends that all companies, even below 250 employees, keep a processing register. It is the basic tool for demonstrating compliance (accountability, Art. 5(2) GDPR).

The 8 mandatory pieces of information per processing activity

For each processing activity, the register must contain the following elements:

1. Name and contact of controller
Your company name, address, DPO email or GDPR contact
2. Processing purpose
The precise objective: "customer relationship management", "recruitment", "sending commercial newsletters"
3. Categories of data subjects
Customers, prospects, employees, service providers, site visitors
4. Categories of data processed
Name, email, phone, browsing data, purchase history — without listing each field
5. Categories of recipients
Who accesses the data: internal teams, sub-processors (host, CRM, email), partners
6. Transfers outside EU
If data goes to USA, India or elsewhere: legal basis for transfer (DPF, SCCs, derogations)
7. Erasure deadlines
Planned retention period before deletion or anonymization
8. Security measures
General description: encryption, access control, backups, pseudonymization

Start your register with your site's cookie audit

RGPDScan detects all active sub-processors (analytics, advertising, support) to document in your register.

Simplified template: the 5 classic processing activities of an SME

Here is a directly usable template for the 5 processing activities that every SME has. Simply adapt the information to your context.

ProcessingPurposeLegal basisDuration
CRM / ProspectsCommercial relationship managementLegitimate interest3 years after last contact
Billing / CustomersContract performance, tax obligationsContract + legal obligation10 years (accounting limitation)
NewsletterCommercial communicationConsentUntil unsubscription + 3 years
Human resourcesEmployee management, payrollContract + legal obligation5 years after departure
Video surveillance (if applicable)Premises securityLegitimate interest1 month (CNIL)

How to keep the register up to date

A static register is of little use. Best practices to keep it alive:

  • Annual reviewEach new year, review all processing activities. Remove abandoned ones, update sub-processors and durations.
  • Update triggersAny new SaaS tool adopted, new provider accessing data, new feature collecting data should trigger an update.
  • An identified responsibleName one person as owner of the register (DPO, CTO, legal manager). Without an identified owner, the register becomes outdated.
  • Link with DPIAsHigh-risk processing activities in the register should reference the corresponding Data Protection Impact Assessment (DPIA).

Going further

Frequently asked questions

Is the processing register mandatory for a small business?
Strictly, Art. 30 GDPR requires a register for organizations with more than 250 employees. But there is an important exception: if your processing is likely to present a risk to rights and freedoms (sensitive data, surveillance), or if your processing is not occasional, the register is mandatory regardless of size. In practice, any SME that manages a CRM, sends newsletters or stores customer data should keep a register.
What must the processing register contain?
For each processing activity: (1) name and contact details of the data controller, (2) processing purpose, (3) categories of data subjects, (4) categories of data processed, (5) categories of recipients, (6) transfers to third countries and safeguards, (7) planned erasure deadlines, (8) description of security measures. Sub-processors must also keep a register of their processing activities on behalf of their clients.
What format should the register be in?
No format is imposed by the GDPR. You can use an Excel spreadsheet, Google Sheets, Notion, or a dedicated GDPR tool. The CNIL offers a free Excel template on its website. The key: the register must be kept up to date, accessible in case of CNIL audit, and cover all actual processing activities of the organization.
What is the difference between a register and a privacy policy?
The privacy policy is a public document intended for data subjects (your users/customers) to inform them of their rights and the processing that concerns them. The processing register is an internal document for the CNIL and your DPO to prove your compliance. Both are complementary but distinct.
Is a DPO needed to keep the register?
No, a DPO (Data Protection Officer) is only required for public bodies, organizations whose main activity involves systematic large-scale monitoring, or large-scale processing of sensitive data. SMEs without a mandatory DPO can keep their register themselves or use an external GDPR service provider.
What are the risks without a processing register?
During a CNIL audit, the absence of a register is a direct breach of Art. 30. The CNIL can issue a formal notice to create one within a set deadline. If not complied with, financial sanctions are possible (up to €10M or 2% of turnover for documentary violations). In practice, audits often begin with a request for the register — its absence always aggravates the subsequent audit.

Identify your sub-processors to document

RGPDScan automatically detects all active third-party tools on your site — ready to integrate into your register.