Records of processing activities - for Data Controllers

This template is designed to make it easier for small and medium-sized enterprises (controllers) to create their own records of processing activities. Each of the 25 sections that make up this form for creating records of processing activities must be adapted to the data processing activities in your organization/company. Keep in mind that it is not a document that is the same for all small and medium-sized enterprises, or organizations/companies, even for those from the same industry, and that the record of processing activities must reflect the data processing activities that you carry out in your organization/company.

In some cases, the company as a data controller must keep records of its processing activities, which, among other things, include data on the purpose of processing, categories of subjects/personal data, categories of data recipients, transfer of personal data to third countries, time periods for data deletion and how long possible description of technical and organizational protection measures.

Regardless of the number of employees, whether you are the processing manager or the processor, you MUST keep processing records if one of the following conditions is met:
  • if the processing is likely to cause a high risk for the rights and freedoms of the data subject (for example: the introduction of new technologies such as biometric readers, facial recognition, IT services that process personal data),
  • if the processing is not occasional, i.e. if the processing is permanent (for example: processing of the employee's personal data for the purpose of payment of wages by the employer),
  • if the processing includes special categories of data (for example: health data, biometric data, genetic data),
  • if the processing includes personal data related to criminal convictions and criminal offences


If you have less than 250 employees and do not meet the above conditions, you are NOT OBLIGATED to keep records of processing activities.

We certainly recommend that you still keep records of processing activities, as records are one of the tools for proving compliance with the General Data Protection Regulation.