One of the most widespread — and most dangerous — beliefs among SMEs is that the Record of Processing Activities (RAT, from the Spanish "Registro de Actividades de Tratamiento") is only mandatory for large companies. The confusion has a real basis: Article 30.5 of the GDPR mentions an exemption for organisations with fewer than 250 employees. The problem is that almost nobody reads the second half of the sentence, the one that cancels out the exemption in the vast majority of cases. An eight-person consultancy that manages client payrolls, or a clinic with five professionals processing health data, carry out processing that is not "occasional" or that involves special categories of data, so the exemption simply does not apply to them. This article debunks that myth, explains who is really required to keep the RAT — as controller and as processor — and details, field by field, how to build a record that actually holds up in an AEPD inspection, not just a document sitting in a drawer.
What the RAT is and why it is the cornerstone of accountability
The Record of Processing Activities is the documented inventory of every personal data processing operation carried out by an organisation: what data it processes, for what purpose, who it shares it with, how long it keeps it and what security measures it applies. It is not just another bureaucratic form: it is the practical expression of the accountability principle in Article 5.2 of the GDPR, which requires the controller to be able to demonstrate compliance with the processing principles, not merely declare it. Without an up-to-date RAT, an organisation cannot prove to the AEPD what data it processes or on what legal basis, which makes this record the first document the Agency requests when opening any investigation.
The RAT is not a stand-alone document either: data protection impact assessments (Art. 35), risk analysis, responses to data subject rights requests and the notification of security breaches itself all depend on having the processing activities, their purposes and their recipients precisely identified. A poorly built RAT does not just breach Article 30: it drags errors through the entire compliance chain.
The myth of the under-250-employee exemption: what Article 30.5 really says
Article 30.5 of the GDPR states that the obligations of paragraphs 1 and 2 — keeping the record as controller or as processor — shall not apply to an enterprise or an organisation employing fewer than 250 persons, unless one of these three circumstances is present:
- The processing carried out is likely to result in a risk to the rights and freedoms of data subjects.
- The processing is not occasional.
- The processing includes special categories of data under Article 9.1 of the GDPR (health, ethnic origin, trade union membership, sexual orientation, biometric data, among others) or data relating to criminal convictions and offences under Article 10.
The key lies in the second condition, "the processing is not occasional", because in practice almost no SME escapes it. Managing employee payroll, maintaining a customer database, handling recruitment applications or sending regular marketing communications are structural, recurring processing operations, not occasional by definition. It only takes one of the organisation's processing activities to meet one of the three conditions for the obligation to keep the RAT to arise for that activity — and in practice, the reasonable and defensible approach is to document the organisation's full set of processing activities, not just the one that technically triggers the obligation. The Spanish Data Protection Agency confirms this in its guidance: the Article 30.5 exemption has a very limited scope in practice and should not be read as a blanket dispensation for SMEs. In other words: if your company has employees on payroll, customers with contact details, or a web form that regularly collects personal data, you need a RAT, whether you have 3 employees or 200.
Who is required to keep the RAT: controller and processor are different records
Article 30 of the GDPR does not impose a single obligation but two parallel records with different content, depending on the role the organisation plays in relation to each processing activity:
- As controller (Art. 30.1): the organisation that decides the purposes and means of the processing — the company that collects data from its own customers or employees — must maintain a record of all processing activities carried out under its responsibility.
- As processor (Art. 30.2): the organisation that processes data on behalf of a third party — a payroll agency processing client payrolls, a software provider hosting another company's user data — must maintain a record of all categories of processing activities carried out on behalf of each controller.
Many organisations hold both roles at once, depending on the processing activity in question: a consultancy is the controller with respect to its own employees' data, but the processor with respect to the payroll data it manages for its clients. Confusing the two roles — or keeping a single generic record without distinguishing the role played in each activity — is one of the mistakes we most frequently detect when auditing compliance for new clients. If you are unsure which role your organisation plays for a given processing activity, our guide on processor vs. controller: key differences develops this distinction with practical examples.
How to structure the RAT as controller: field by field
Article 30.1 of the GDPR sets out the minimum content that must appear in the record when the organisation acts as controller. A complete RAT that will hold up under inspection must include, for each processing activity:
- Identification of the controller: name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer.
- Purposes of the processing: the specific reason data is processed — payroll management, invoicing, sending marketing communications, video surveillance, access control — avoiding generic descriptions such as "administrative management".
- Description of the categories of data subjects and of personal data: who the data subjects are (employees, customers, candidates, suppliers) and what type of data is processed for each category (identification, financial, health, biometric).
- Categories of recipients to whom the data have been or will be disclosed, including recipients in third countries or international organisations.
- International data transfers, where applicable, including the identification of the receiving country or international organisation and documentation of the safeguards applied (adequacy decision, standard contractual clauses or another mechanism under Chapter V of the GDPR).
- Envisaged time limits for erasure of the different categories of data, where possible to determine.
- A general description of the technical and organisational security measures applied under Article 32.1 of the GDPR (encryption, access control, backups, password policies, among others).
To this minimum list it is worth adding two extra columns that make day-to-day compliance easier: the legal basis for processing (consent, performance of a contract, legal obligation, legitimate interest, among others under Article 6 of the GDPR) and the source of the data, especially when it is not collected directly from the data subject. Neither is a literal requirement of Article 30.1, but both are nearly essential for responding quickly to a rights request or an impact assessment.
How to structure the RAT as processor: field by field
When the organisation processes data on behalf of a third party, Article 30.2 of the GDPR requires a record with content adapted to that position:
- Identification of the processor or processors and of each controller on whose behalf it acts, as well as, where applicable, the representative of the controller or processor and the data protection officer.
- Categories of processing carried out on behalf of each controller, without needing to detail each specific purpose of the controller, but including the type of operation performed (data hosting, payroll processing, sending communications, technical support with data access).
- International data transfers to a third country or international organisation, where applicable, with the same requirement to document the safeguards applied as in the controller's record.
- A general description of the technical and organisational security measures under Article 32.1 applied to the processing carried out on behalf of the controller.
Unlike the controller's record, the processor's record does not require detailing the categories of data subjects and personal data, or the erasure time limits, because that information properly belongs to the controller, who decides the purposes of the processing. It is nonetheless good practice for the processing agreement (Art. 28 GDPR) to cross-reference the processor's RAT with the controller's, so both documents remain consistent with each other in the event of a joint inspection.
Format, medium and availability to the supervisory authority
Article 30.3 of the GDPR requires that the records — both the controller's and the processor's — be kept "in writing, including in electronic form", which in practice excludes a purely verbal or informal record but allows any documentary medium: a spreadsheet, a template in a document management system, or a dedicated module within a compliance tool. There is no mandatory official format imposed by the AEPD, although the Agency itself publishes an indicative template that is useful as a starting point.
Article 30.4 adds an obligation of availability, not publication: the controller or processor must make the record available to the supervisory authority on request. This means the RAT does not have to be published on the website or handed over to the AEPD proactively, but it must always be locatable and up to date, ready to be produced within whatever deadline the Agency sets if it opens an inspection or handles a complaint. A RAT that exists but that nobody can find breaches this obligation, in practice, just as much as having no record at all.
In Spain, Article 31 of the LOPDGDD restates this obligation and adds a nuance worth knowing: the public-sector entities listed in Article 77.1 of that law — public administrations and public bodies, among others — must publish an inventory of their processing activities, accessible by electronic means, with the information required by Article 30 of the GDPR and its legal basis (Article 31.2 LOPDGDD).
The RAT as a living document: the role of the data protection officer
The most costly mistake when preparing the RAT is not the absence of one, but treating it as a one-off deliverable: drafted when the GDPR compliance service is contracted, filed away, and never touched again. An outdated record — one that does not reflect a new payroll provider, a recently contracted marketing tool, or a new video surveillance process — is just as detectable in an inspection as having no record at all, and it also projects an image of organisational disorder that tends to aggravate any sanctioning assessment.
This is where the role of the data protection officer under Article 39 of the GDPR comes in: among their advisory and monitoring functions is keeping the organisation's processing map up to date, reviewing the RAT whenever a new provider is brought on board or a purpose changes, and making sure the documentation matches the company's actual operations, not a frozen snapshot from the day of the initial audit. A well-structured external DPO does not hand over the RAT and disappear: they review it periodically and update it whenever the organisation makes a relevant change to its processing activities. If your company does not yet have this role in place, or wants to outsource it, you can see how we structure the service on our external DPO for organisations page.
Common mistakes when preparing the Record of Processing Activities
The failures we most frequently detect when reviewing existing records for new clients follow a recognisable pattern:
- Assuming the Article 30.5 exemption applies without analysing whether any of the organisation's processing activities is non-occasional or involves special categories of data, when in practice it almost always is.
- Confusing the controller's record with the processor's record, merging both into a single document without distinguishing the organisation's role in each processing activity.
- Overly generic purpose descriptions, such as "customer data management", that do not allow the legal basis applied to be justified.
- Omitting international transfers, especially when using marketing tools, web analytics or cloud storage hosted outside the European Economic Area.
- Not linking the RAT to the actual security measures in place, describing generic controls that do not correspond to what actually protects each processing activity.
- Leaving the record unreviewed for years, without incorporating new providers or processing activities that emerged after the document was first drafted.
What you risk if you have no RAT or it is outdated
Breach of Article 30 of the GDPR is punishable under Article 83.4.a) of the GDPR, which provides for fines of up to €10 million or 2% of total worldwide annual turnover of the preceding financial year, whichever is higher. This tier is the same one that applies to other "instrumental" breaches of the regulation — such as the absence of a mandatory DPO or of an impact assessment when required — while the higher tier of Article 83.5, up to €20 million or 4%, is reserved for more serious infringements related to the processing principles or data subjects' rights.
For SMEs, the proportionality principle of Article 83.1 moderates the final amount based on the nature, gravity and duration of the infringement. But the absence of a RAT rarely results in an isolated sanction: in the AEPD's practice it is usually detected as part of an inspection triggered by another cause — a complaint from a data subject, a security breach — and it aggravates the outcome of that investigation, because it reveals that the organisation has no documented control over its own processing activities. Domestically, the LOPDGDD expressly codifies not keeping the Article 30 record as a serious infringement (Article 73.n), failing to make it available to the authority on request also as serious (Article 73.ñ), and keeping a record that does not include all the required information as a minor infringement (Article 74.l).
How much does it cost to keep a Record of Processing Activities up to date
The cost of preparing and maintaining a RAT varies according to the number of processing activities identified, the complexity of the business, the number of providers and processors involved, and whether the service is contracted as a stand-alone document or as part of a GDPR compliance process that includes periodic review. There is no fixed market rate, and it makes no sense to set a generic price without knowing the organisation's specific activity. If you want to understand the factors that determine the cost of having an external DPO who, among other functions, keeps the RAT up to date, see our guide on external DPO pricing: variables and indicative range.
Summary table: the Record of Processing Activities
| Aspect | What the rule requires | Legal basis |
|---|---|---|
| General obligation | Keep a record of the organisation's own processing activities (controller) or those carried out on behalf of third parties (processor) | Arts. 30.1 and 30.2 GDPR |
| Under-250-employee exemption | Only applies if the processing is occasional, poses no risk and does not involve special categories of data or criminal data; very limited scope in practice | Art. 30.5 GDPR |
| Content of the controller's record | Identification, purposes, categories of data subjects and data, recipients, international transfers, erasure time limits, security measures | Art. 30.1 GDPR |
| Content of the processor's record | Identification of the processor and each controller, categories of processing, international transfers, security measures | Art. 30.2 GDPR |
| Format and availability | In writing, including electronic form; available to the AEPD on request | Arts. 30.3 and 30.4 GDPR |
| Non-compliance | Fine of up to €10M or 2% of worldwide turnover | Art. 83.4.a) GDPR |
Frequently asked questions
Is the Record of Processing Activities mandatory if my company has fewer than 250 employees?
In most cases, yes. The Article 30.5 exemption of the GDPR only applies when the processing is occasional and one-off, poses no risk to data subjects' rights, and does not involve special categories of data or data relating to criminal convictions or offences. Managing payroll, maintaining a customer database or handling job applications are structural processing activities that make the exemption inapplicable, regardless of the organisation's number of employees.
Can I use a generic template downloaded from the internet to prepare the RAT?
It can serve as a starting point, but is rarely sufficient on its own. Article 30 requires the record to accurately reflect your organisation's actual processing activities — specific purposes, precise categories of data and data subjects, actual recipients — and an unadapted generic template tends to end up with descriptions too vague to withstand a detailed AEPD inspection.
Does the RAT have to be publicly available on the company's website?
No. Article 30.4 of the GDPR requires the record to be made available to the supervisory authority on request, not published publicly. This is different from the information obligation to data subjects in the privacy policy, which must indeed be public, but at a different level of detail from the RAT. The exception is public-sector entities under Article 77.1 of the LOPDGDD, which Article 31.2 requires to publish an inventory of their processing activities accessible by electronic means.
How often does the Record of Processing Activities need to be updated?
There is no fixed deadline in the regulation, but the RAT should be updated whenever a relevant change occurs: a new provider or processor, a new data processing activity, a change to existing purposes, or a change in international transfers. In practice, it is advisable to set a periodic review — at least annually — in addition to the ad hoc updates triggered by each change.
What is the difference between the RAT and a Data Protection Impact Assessment (DPIA)?
The RAT is a descriptive inventory of all of the organisation's data processing activities, generally required under Article 30 of the GDPR. The Data Protection Impact Assessment (DPIA), governed by Article 35, is a specific and detailed risk analysis that is only mandatory for processing likely to result in a high risk to the rights and freedoms of individuals. The RAT is usually the starting point for identifying which processing activities also require a DPIA.
What happens if I have a RAT but it is incomplete or outdated?
The LOPDGDD distinguishes the two scenarios: keeping a record that does not include all the information required by Article 30 is a minor infringement (Article 74.l), while having no record at all is a serious infringement (Article 73.n); both fall within the sanctioning framework of Article 83.4.a) of the GDPR. In either case, an incomplete or outdated record does not allow the organisation to demonstrate compliance with the accountability principle of Article 5.2 of the GDPR. During an inspection, the AEPD tends to pay particular attention to whether the record reflects the company's actual activity at the time of the review, not the activity it had when the record was first drafted.
If your company needs to prepare, review or keep its Record of Processing Activities up to date — as controller, as processor, or both — at Summum Consultoría we integrate this task within our GDPR compliance service for companies, with periodic review carried out by the data protection officer. If your organisation has not yet started the compliance process, our guide GDPR step by step: a practical guide to bringing your company into compliance explains where to start.