The documentation of processing activities means that the company records which personal data it processes and for what purpose. Certain legally defined circumstances of the processing must also be documented, such as the storage period of the data and the protective measures taken for the processing.

A key question of the documentation obligation is when data processing is carried out in the legal sense. This is always the case when so-called personal data is processed – i.e. data with which a person can be identified or at least individualized. For example, the tracking of website visitors also constitutes one or more data processing operations that must be documented.

In addition, the question arises as to how exactly processing should be documented. The company responsible should not be guided in the definition by the circumstances or process steps of the processing, but by its overriding purpose. Wherever there is a process with its own purpose, there is data processing. The purpose must be formulated in sufficiently concrete terms. A purpose is also not to be equated with a process-related category (e.g. “Creation of...” or “Use of...”).

The relevant provision for the documentation of processing activities is Art. 30 GDPR.
The first paragraph lists the categories of data that the controller must document. If a so-called processor is involved in the documentation, the processor must document the data categories specified in paragraph 2. A company that processes data not only as a controller but also as a processor must keep two types of documentation accordingly.

According to the law, the result of the documentation of processing activities should be a “register” in which all processing activities of a company are described. This register can be kept in both physical and digital form (also in the form of a software solution).