Record of processing activities: how do you document archives and destruction?
Article 30 of the GDPR requires every organisation with more than 250 staff, and in practice almost anyone who structurally processes personal data, to keep a record of processing activities. That obligation covers archive management and destruction, because storage is itself a form of processing. But what exactly needs to go into that record about archives and destruction? This article gives a practical template without unnecessary bureaucracy.
What the GDPR requires
Article 30(1) explicitly mentions:
- Name and contact details of the controller.
- Purposes of the processing.
- Categories of data subjects and personal data.
- Categories of recipients.
- Any transfers to third countries.
- Envisaged time limits for erasure.
- General description of technical and organisational security measures.
The bold line is where archive and destruction directly meet. A record without a retention period is incomplete.
Per processing activity: what do you note about the archive?
Per processing activity (customer administration, HR file, applicants, etc.) you record:
- Retention period: how long do you keep it, and based on which law or ground? See the GDPR retention periods cheatsheet for the standard rules.
- Trigger for the period: from end of employment, date of last invoice, signing of deed, etc.
- Location of the archive: office, external archive depot, cloud service.
- Access: who has access?
- Destruction method: shred at DIN P-5, cryptographic erasure or other.
- Destruction frequency: yearly, quarterly, ad hoc.
General: the security section
Alongside the per-processing row, the record should include a general security policy that covers:
- Physical security of the archive room: locked cabinets, access control, local alarm.
- Procedure around destruction: who designates documents, who signs the certificate, who keeps the evidence.
- Processor agreement with the destruction supplier: read the processor agreement checklist for what it should contain.
- Retention period for certificates: we advise 5 years.
Template: a row in the record
| Field | Example value |
|---|---|
| Processing | B2B sales customer administration |
| Purpose | Performance of contract, tax retention duty |
| Categories of data | Name and address, email, phone, invoicing details |
| Retention period | 7 years after last invoice |
| Legal basis | AWR art. 52 |
| Location | Cloud (Exact Online) plus paper backup in archive cabinet |
| Access | Bookkeeping, management |
| Destruction method | Cloud: cryptographic erasure. Paper: DIN P-5 mobile shredding. |
| Frequency | Yearly after 31 March (after year-end close) |
How do you reference your destruction supplier?
Under "categories of recipients" you name the supplier of destruction services. You also reference the processor agreement you have signed with that supplier. Read our processor agreement checklist for what it should contain.
The destruction supplier is a processor under GDPR art. 28. They have short-term access to personal data (in boxes awaiting destruction). That requires a processor agreement.
Keep the evidence of destruction
The record itself is not evidence that destruction took place. You need the certificate for that. Keep every certificate:
- At least 5 years after the destruction date.
- In a findable place (compliance folder, shared drive, contract system).
- With a reference from the record to the certificate location.
For the general certificate requirements, see the certificate of destruction.
How often do you update the record?
- Annually a standard review, ideally combined with the audit moment.
- On every new processing activity: add a new row.
- On a change of destruction supplier: update the contact details.
- On a change in retention period: for example after a sector-specific change in legislation.
Common mistakes
- "Retention period: forever". Not a valid period under the GDPR.
- "Retention period: as long as needed". Too vague; the AP wants an explicit period.
- Destruction supplier not included. They are a processor; they belong in the record.
- Different periods mixed together. Each category has its own period; not "7 years for everything".
- No certificate retention strategy. Keep the evidence or it is as if nothing happened.
For whom is this mandatory?
Strictly speaking, article 30 applies to organisations with more than 250 staff. In practice the AP uses the record as a touchstone for almost any organisation that regularly processes personal data. Not having a record because you "only have 50 staff" is technically defensible but weak at an AP visit. Better is a proportionate record: a simple spreadsheet with the rows described above.
Sector examples
For sector-specific processing activities, see our articles for:
- SME and GDPR document destruction
- WGBO 20 years for patient files
- Wwft 5 years for client investigation
- Wft 5 years for financial files
Processor agreement and destruction certificate from one supplier.
We provide a standard processor agreement under GDPR art. 28 and certificates per job. Directly linkable to your record.
Request a quoteSetting up a record for the first time? Email us via desnipperaar.nl. We are happy to share a template row for archive and destruction.