How to keep records of personal data processing activities under the GDPR

Who is obliged to keep records of activities? What records must be kept and what should such a record document look like? If you are also asking yourself these questions, the following paragraphs may help you.


The General Data Protection Regulation introduces, amongst other things, a obligation for employers to keep records of the personal data processing activities of their employees. What exactly is meant by this and how to keep these records properly?

What are activity records?

Records of processing activities de facto replace the notification obligation, i.e. the reporting of personal data processing to the Data Protection Authority. Records of processing activities are mandatory for employers to keep and make available to the DPO upon request. It is therefore not necessary to report the processing, but it is necessary to keep records.

Who is not obliged to keep records of activities?

The GDPR grants several exemptions from the obligation to keep such records. According to him, he does not have this obligation:

a) a business or organisation employing less than 250 employees, unless

b) the processing constitutes a risk to the rights and freedoms of data subjects,

c) the processing is not occasional; or

d) it involves processing of special categories of personal data or personal data relating to criminal convictions.

But be warned - the obligation to keep records of processing activities applies to you, if you are the controller, if you meet at least one of the following conditions. So lawyers point out that an employer who does not keep records runs some risk.

What records must be kept?

The records that every employer is required to keep include:

  • camera system installed for the protection of the employer's property and employees and the safety of workers,
  • special categories of personal data, such as data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health, sexual orientation of an individual or genetic and biometric data,
  • records of health data processing activities, e.g. initial medical examinations, etc.

How to keep the records correctly?

Preparing the document itself is then nothing to worry about. The regulation directly specifies what information must be included:

  • the name and contact details of the controller (or also the name and contact details of the delegate, if appointed),
  • the purpose of the processing,
  • description of categories of subjects and categories of personal data,
  • categories of recipients to whom personal data have been or will be disclosed,
  • the scope of the personal data processed,
  • information about the recipients of the personal data, the transfer of data to third countries, the time limits for erasure of each category of data and a description of the technical and organisational measures taken to ensure data security.

After reading the above lines, are you sure whether the obligation to keep records of personal data processing activities also applies to you? Or are you then missing something in the document itself? Do not hesitate to contact us for advice.