Setting up a processing register: what to include (and what not to)

Every SMB with employees needs a processing register. The Dutch DPA checks for it in almost every inspection. Here's a template and exactly what to include.

The processing register (Article 30 GDPR) is the central document. When the DPA comes knocking, this is almost always the first thing they ask for: "show me your register."

For each processing activity, record the following

• Purpose (e.g. "HR administration").
• Categories of data subjects (employees, job applicants, customers).
• Categories of personal data (name, email, national ID number, bank account).
• Legal basis (contract, consent, legitimate interest, legal obligation).
• Recipients (who receives this — internal roles, external parties).
• Retention period (see retention periods).
• Security measures (technical + organisational).
• Where applicable: transfer outside the EEA.

Examples of processing activities in an SMB

• HR administration.
• Customer files / CRM.
• Invoicing and billing records.
• Newsletter mailing list.
• Website visitor data (analytics).
• Cookies / tracking.
• CCTV / office camera surveillance.
• Job applicant administration.

Format

A spreadsheet or Notion database works perfectly well. There is no requirement to use specific tooling. Keep it centralised, up to date, and one row per category.

Maintenance

Do a quick check every quarter: have any new processing activities been added? Have any been discontinued? Carry out a full review once a year.

See also: GDPR pillar, data processing agreements.