Article 30 GDPR requires each controller and each processor to maintain a record of processing activities under its responsibility which must be in writing (including electronic form). Article 30 details the minimum content of the record.
Some DPA made available model forms and notes for keeping records of processing activities:
- the BayLDA, the Bavarian DPA for the controller and for the processor;
- the ICO, the UK Information Commissioner’s Officer, see here;
- the AEPD, the Spanish DPA, see Annexes IV and V, p. 38 and 39 and a description on how to fill them out in p. 20-23;
- the CNIL, the French DPA, created a toolkit detailing six steps to comply and a template for the Register of processing operations and a template for data breach notifications, both in French.