GRCWatch
Sign inStart free trial

GDPR A30-02: Records of Processing Activities for Processors

As a data processor, you're legally required to maintain detailed records of every processing activity you perform on behalf of controllers. GDPR A30-02 mandates documentation of processor identity, processing categories, international transfers, and security measures—creating an auditable trail that protects both you and your clients.

What this means

Processors must establish and maintain comprehensive records covering all processing activities undertaken for controllers. These records must identify both the processor and controller, document every category of processing performed, track any international data transfers, and provide a general description of the technical and organizational security measures implemented. This creates a documented account of your data handling practices and demonstrates accountability to regulators.

How to comply

  1. 1.Create a processing activities record that identifies your organization as processor and lists all controllers you work with
  2. 2.Document each category of personal data you process (e.g., names, email addresses, payment information, health data)
  3. 3.Record the purposes for which you process data on behalf of each controller
  4. 4.Track all international data transfers, including recipient countries and applicable legal mechanisms (Standard Contractual Clauses, etc.)
  5. 5.Describe your security measures in general terms, covering technical safeguards (encryption, access controls, monitoring) and organizational measures (training, incident response)
  6. 6.Maintain records in an accessible format for controller requests and regulatory inspections
  7. 7.Update records whenever processing activities change or new security measures are implemented
  8. 8.Ensure records are available to demonstrate compliance during GDPR audits

Evidence auditors look for

  • Processing activities register showing processor name, controller names, and processing categories
  • Data flow diagrams documenting international transfers and transfer mechanisms
  • Processor-controller contracts referencing the records maintained
  • Security documentation including encryption standards, access control policies, and incident response procedures
  • Data retention schedules specifying how long each category is stored
  • Audit logs demonstrating regular record reviews and updates
  • Subprocessor lists documenting onward data transfers

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates processor record creation and maintenance, generating compliant documentation of your processing activities, international transfers, and security measures—eliminating manual tracking and ensuring auditor-ready records.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR A28 — Processor responsibilities and conditionsGDPR A30-01 — Records of processing activities for controllersGDPR A32 — Security of processing