GDPR Processing Records Template: Free Article 30 Guide for SMEs

Maintaining records of processing activities is one of the most concrete and auditable obligations under the General Data Protection Regulation (Regulation 2016/679). Yet many small and medium-sized enterprises either skip it entirely or maintain records that are incomplete and unlikely to satisfy a supervisory authority inspection. This guide walks through Article 30 requirements, provides a free template structure, and shows a worked SME example.

Why Article 30 Records Matter

Article 30 GDPR requires every controller and processor to maintain records of their processing activities. These records serve as the documentary backbone of accountability — without them, you cannot demonstrate compliance, and you cannot identify where personal data flows, which is the first step in any breach response or data subject rights request.

The EDPB (European Data Protection Board) has consistently emphasized records of processing activities (ROPA) as a prerequisite for demonstrating the accountability principle under Article 5(2). In its 2021 Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, the EDPB showed how incomplete data maps directly led to inadequate breach notifications. The ROPA is your data map.

Practically, supervisory authorities across EU member states have issued fines to organizations that could not produce up-to-date ROPA on request. The German DPA (DSK) and France's CNIL both include ROPA review in standard audits.

Who Is Exempt?

Article 30(5) provides an exemption for organizations with fewer than 250 employees — but only where the processing is "not likely to result in a risk to the rights and freedoms of data subjects, is occasional, or does not include special categories of data." In practice, this exemption is narrow. If you process employee data, customer data, or any health information, the exemption likely does not apply regardless of your headcount.

The EDPB and national DPAs have all recommended that SMEs maintain ROPA regardless of the exemption, as it is the foundation for virtually every other compliance obligation.

Mandatory Fields Under Article 30(1) — Controller

For controllers, Article 30(1) requires the following minimum fields:

Identity and contact

• Name and contact details of the controller
• Where applicable, the joint controller(s)
• The Data Protection Officer (DPO) contact if one has been designated

Processing activity details

• Purposes of the processing
• Description of the categories of data subjects
• Description of the categories of personal data

Recipients and transfers

• Categories of recipients to whom the personal data has been or will be disclosed
• Where applicable, transfers to third countries or international organizations, including documentation of appropriate safeguards (Standard Contractual Clauses, adequacy decisions)

Retention and security

• Where possible, the envisaged time limits for erasure of different categories of data
• Where possible, a general description of the technical and organizational security measures (Article 32)

Mandatory Fields Under Article 30(2) — Processor

If you act as a data processor on behalf of controllers, the requirements mirror Article 30(1) but focus on the processor's perspective: categories of processing, third country transfers, and security measures.

Free ROPA Template Structure

Below is a minimal template structure you can adapt for your organization. Each row in your ROPA represents one processing activity.

| Field | Example | |---|---| | Activity ID | ACT-001 | | Activity Name | Customer newsletter management | | Controller | Acme Ltd, 123 Example Street, London | | DPO | [email protected] | | Purposes | Direct marketing, relationship management | | Legal Basis | Consent (Art. 6(1)(a)) | | Data Subjects | Prospects, existing customers | | Data Categories | Email, first name, last name, purchase history | | Special Categories | None | | Recipients | Internal marketing team; Mailchimp (processor) | | Third-Country Transfers | USA — Mailchimp, SCC + DPA in place (post-Schrems II) | | Retention Period | 3 years from last interaction | | Security Measures | TLS in transit, AES-256 at rest, access logging | | Last Updated | 2026-04-06 |

Worked SME Example: Online Retail (15 Employees)

Consider a small e-commerce company selling artisan goods across the EU with 15 employees and no formal DPO. Despite being below 250 employees, they process customer data continuously and must maintain ROPA.

Processing activity 1 — Order fulfillment

• Purpose: Fulfill purchase orders, manage returns
• Legal basis: Performance of a contract (Art. 6(1)(b))
• Data: Name, delivery address, email, phone, payment reference
• Recipients: Shipping partner (DHL), payment processor (Stripe)
• Transfers: USA — Stripe, SCC in place
• Retention: 10 years (accounting obligation, Art. 6(1)(c))

Processing activity 2 — Website analytics

• Purpose: Improve user experience, measure performance
• Legal basis: Consent (Art. 6(1)(a)) via cookie banner
• Data: IP address (anonymized after 24h), page views, browser type
• Recipients: Analytics platform (Matomo, self-hosted)
• Transfers: None
• Retention: 13 months rolling

Processing activity 3 — Employee payroll

• Purpose: Salary administration, social contributions
• Legal basis: Legal obligation (Art. 6(1)(c))
• Data: Name, bank details, social security number, salary
• Recipients: Payroll software vendor (Silae), accountant
• Transfers: France only
• Retention: 5 years (labor law obligation)

This small company already has three distinct activities with different legal bases, retention periods, and transfer implications. Each must be documented separately.

Keeping Records Up to Date

The ROPA is not a one-time exercise. It must reflect your current processing. The EDPB recommends reviewing your ROPA at least annually and whenever a new processing activity is introduced, an existing activity changes materially, or a processor relationship is modified.

A practical approach is to tie ROPA reviews to procurement and product development. Whenever a new SaaS tool is onboarded or a new product feature processes personal data, a ROPA entry should be created or updated before go-live.

How WarDek Supports Article 30 Compliance

WarDek's compliance module provides a structured ROPA builder that guides you through each mandatory field, flags missing information, tracks processor relationships, and generates audit-ready exports. For teams without a dedicated DPO, the guided workflow reduces the time to produce a compliant ROPA from days to hours.

Explore WarDek's GDPR compliance features and see how automated monitoring keeps your records current as your organization evolves.

Key Takeaways

Article 30 records are not optional for most SMEs despite the headcount exemption. A well-maintained ROPA gives you a data map that supports breach response, data subject rights requests, and supervisory authority audits. Start with one processing activity, document it fully, and build from there. The template structure above covers every mandatory field and adapts to any industry.

For related reading, see our guide on GDPR data processor obligations under Article 28.