Records of Processing Activities [Templates and Examples for different Industries]

Records of Processing Activities Templates and Examples for different Industries

To help you get started we have prepared GDPR compliant records of processing activities templates with predefined categories of data that you need to keep track of, for three different industries. However, this article should be helpful regardless of the industry:

BANKING
TELECOMMUNICATION
RETAIL

What is the Record of Processing Activities?

Article 30 of the General Data Protection Regulation (GDPR) requires written documentation of procedures concerning personal data you process within your company. It demands that the records need to be in writing, including in the electronic form.

Records of processing activities (ROPA) should answer questions like:

  • how are you processing data?
  • why are you processing data?
  • what kind of data you are processing?
  • where is the processing taking place?
  • who are you disclosing the data to?

These records of processing activities templates are just a starting point to get you going. However, we talked about why Excel is not an ideal way to keep records of processing activities.

Records of processing activities will also be a starting point for audit with the supervisory authority so make sure you keep your records updated. GDPR tools can help you in that process by automatization of the entire process.

Does Your Company Need to Keep Records of Processing Activities?

You have to keep records of processing activities if your company has 250 or more employees. There is an exception for small and medium-sized companies with fewer than 250 employees, they will be obligated to keep the records if:

  1. processing is not occasional (processing is not a one-time occurrence)
  2. processing is likely to pose a risk to the rights and freedoms of the data subject
  3. processing involves a special category data or criminal conviction data

However, since most of the companies are under some national obligation that makes personal data processing mandatory, your company is most likely obligated to keep records of processing activities.

How to Start?

First, you need to discover personal data processing within your organization and document data categories and systems where they are processed. We have discussed this in our blog:

Why is Data Discovery important for compliance? [Infographic]

To do it properly, you should engage other departments. Specifically engage with colleagues from data-driven departments like marketing, HR, Legal, and your IT.

Include core business (products, services) departments whose business model relies on data processing.

Determining organization’s role

Determine and document your role for each processing activity. You can be a data processor in some cases and a data controller in others, so make sure you are aware of your responsibilities in each role.

The deciding factor will be the control of the data, rather than possession. So if you are determining how and why you are collecting data you are a controller and your obligations under the GDPR will be greater.

The controller determines the purposes and means of the processing and is accountable for processing done by the processor. As a controller, you need to ensure that the processor has implemented appropriate technical and organizational measures to ensure GDPR compliant data processing.

The processor processes personal data on behalf of the controller and is responsible for creating and implementing processes that enable the data controller to gather data, store the data, and transfer it if necessary.

A joint data controller means that your organization, together with one or more organizations, jointly determines ‘why‘ and ‘how’ personal data should be processed.

Difference between data controller and data processor

Information You Should Include in Your Records

Required form of Records of processing activities

The Records of processing activities have to be in writingincluding in electronic form, and remember, it holds value only if you keep it up to date.

There are a few more things you should take into account. Departments need to be able to cooperate, and there needs to be usability for the departments, as well as availability and integrity of procedural information.

Records of Processing Activities example

The following information is the legally required minimum, which needs to be available to the supervisory authority on request. (Article 30(4) of the GDPR).

Document the required information about your company.

 

Data Controller

 

 

Name and contact details

 

 

Data Protection Officer (if applicable)

 

Representative (if applicable)

NameNameName
AddressAddressAddress
EmailEmailEmail
TelephoneTelephoneTelephone

If you are looking for a template to start keeping your Records of Processing Activities, any of the following ones should be sufficient as a base.

Records of processing activities template for banking industry

Records of processing activities: Credit example in a bank

Processing activity nameCredit approval
Data subjects categoriesClients
Data categoriesIdentification data; Ownership data
Lawful basisContract
PurposeA loan collateral
Data retention period11 years
Data controllerCompany A
Processing activity detailsWe collect information from the client into the insurance application depending on the type of insurance policy. After that, we print out the client’s offer after the signature is scanned and placed as an integral part of the loan file. These documents are sent for processing to Risk.
Data processor
Data receiverFINA (HR)
Security measuresPseudonymization, Access control, Encryption od data
External systemsCore banking system
Owner nameJohn Williams, Head of Finance

Download Records of processing activities template for the Banking industry

BANKING template

 

Records of processing activities template for telecommunications

Marketing example in a Telecommunications company

Processing activity nameNewsletter
Data subjects categoriesMarketing contacts, Clients
Data categoriesContact data, Personal contact data
Lawful basisConsent
PurposeNotifying customers about products and services
Data retention period1 year
Data controllerCompany A
Processing activity detailsRecords of Processing Activities for Marketing activities

to existing and potential customers

Data processorMarketing cloud service provider (HU)
Data receiverFINA (HR)
Security measuresPseudonymization, Access control
External systemsAnalytics system, CRM, Data Warehouse, Salesforce, ERP
Owner nameJoanna Smith, Head of Marketing

Download Records of processing activities template for Telecommunication industry

TELCO template

Records of processing activities template for retail

HR example in a Retail company

Processing activity nameWorking hours record
Data subjects categoriesEmployees
Data categoriesSAP ID
Time and stay information
Lawful basisLegal obligations
PurposeRecording the time an employee spends in a particular workplace space
Data retention periodUntil work contract is no longer valid, expired, or an employee stopped working for the company
Data controllerCompany A
Processing activity detailsEmployees use access cards with which they can enter the premises in accordance with the assigned access rights. Cards also record passing/retention times and are used to record employee attendance and time spent at work. This information is later used in the calculation of salary.
Data processorSAP
EXOR
Data receiverData Link
Security measuresPseudonymization, Access control
External systemsERP
Owner nameMarie Johnson, Head of HR

 

Download Records of processing activities template for Retail

RETAIL template

Software for Managing the GDPR-compliant Processing Records

There are more than a few things you need to take into consideration when deciding on the criteria for suitable software to support your GDPR activities and the Records of processing activities.

The software must provide:

Central management
• Connectivity with other systems
• Proper collaboration through all organizational units
• DPO control panel and segregation of ownership of activities
• Tracking changes on data and demonstrating history
• Automated data removal

Once you have linked your Records of Processing activities to the software, you are ready to start working on this living document and keeping the personal data your company/organization holds/stores/processes. Make sure it stays accurate and up to date.

Get your free Data Privacy Manager trial

Try Data Privacy Manager and experience how you can simplify managing records of processing activities, third-parties, or data subject requests!

Scroll to Top