Argana Consulting GmbH 
Let's rather talk about how to solve the problems.

List of processing activities

The processing activities list is a central component of the General Data Protection Regulation (GDPR) and contains information about the processing of personal data by a company. The processing activities list is a document that must be kept by every company organisation that processes personal data in accordance with Article 30 of the General Data Protection Regulation (GDPR)

The list of processing activities is an important tool for meeting the transparency requirements of the General Data Protection Regulation (GDPR) and enables data subjects to exercise their rights. It is also an important tool for data protection authorities to monitor compliance with data protection rules.

The list of processing activities should include information on the following aspects:

  • Responsible body: The responsible body in the company must be clearly designated. The responsible body in the company is the natural or legal person who decides which personal data is processed and for what purpose. This body is also referred to as the "controller" and is responsible for compliance with data protection regulations.
  • Purpose of processing: The purpose for which the personal data is processed should be described. This may, for example, be the processing of business transactions or the fulfilment of contractual obligations.
  • Categories of data subjects: The categories of data subjects affected by the processing should be described. These may be customers, employees or suppliers, for example.
  • Categories of personal data: The types of personal data that are processed should be described. This may include, for example, name, address, e-mail address, bank details or health data.
  • Recipients or categories of recipients: The data subject should be informed to whom the personal data will be disclosed. This may be, for example, partner companies or government agencies.
  • Transfer to a country outside the EU or to an international organisation: It should be described whether personal data is transferred to countries outside the EU or to international organisations and which protective measures are taken to adequately protect the data.
  • Retention periods: The length of time for which personal data is stored should be described.
  • Technical and organisational measures: Technical and organisational measures should be described that are taken to ensure the security of personal data.


The list of processing activities can be kept in electronic or paper form, as long as it meets the requirements of the GDPR and is available or accessible at all times. It should be regularly updated and adapted to changes in processing activities.

The processing activities register is usually managed by a data protection officer or another responsible employee. It can be stored in a central database or a document management system that is accessible to all relevant employees. Those responsible should ensure that the processing activities register is correct and complete and that it is kept up to date.

In some cases, such as large organisations or complex processing activities, it may also be appropriate to have the register of processing activities managed by an external data protection consultant or service provider who has the necessary expertise and experience to ensure compliance with the GDPR.

A document directory of processing activities must be created for each application or IT system that creates, manages, processes or stores personal data. 


Stock-keeping application

The term "master data management" is used in the IT sector to refer to the IT system or application in which the master data and information for a specific business process or area is managed. It is the leading system that serves as the central data source and reference for other applications.

With regard to the General Data Protection Regulation (GDPR), it is important to identify the inventory-keeping application, as it forms the basis for the processing of personal data. The GDPR requires companies to keep accurate and complete documentation of all processing activities involving personal data, including the inventory-keeping application(s) and all other applications or systems that process or access personal data.

Identifying the inventory-keeping application(s) is an important step in creating a record of processing activities in accordance with Article 30 of the GDPR and in conducting a data protection impact assessment in accordance with Article 35 of the GDPR. Accurate documentation of the inventory-keeping application(s) and the associated processing activities is also an important prerequisite for ensuring compliance with the rights of data subjects and for implementing effective technical and organisational measures to protect personal data.