← All guides

The GDPR Article 30 Record for SMEs: What Goes In — and Does the Exemption Apply to You?

6 min read · Updated 15 lipca 2026

What is an Article 30 record?

Article 30 of the GDPR requires organisations to maintain a written record of their processing activities — a structured overview of what personal data you process, why, about whom, and how it is protected. It is not paperwork for its own sake: the record is the first document a supervisory authority asks for during an audit, and it is the foundation for almost everything else in GDPR compliance — retention policies, data processing agreements and responding to access requests.

What must the record contain?

For each processing activity, the record of a controller must include:

  • Name and contact details of your organisation (and your DPO, if you have one)
  • The purpose of the processing — for example payroll or marketing
  • Categories of data subjects — for example employees, customers, applicants
  • Categories of personal data — for example names, national ID numbers, salary data, health data
  • Categories of recipients — for example payroll providers, accountants, public authorities, IT vendors
  • Transfers to third countries and the transfer mechanism, where relevant
  • Retention periods — when the data is erased, per category where possible
  • A general description of technical and organisational security measures — for example access control, encryption and backups

The record must be in writing (electronic is fine) and available to the supervisory authority on request. If you act as a processor for others, a slightly shorter, parallel requirement applies.

The typical processing activities in an SME

Most small and medium-sized companies can cover the bulk of their record with a handful of standard activities:

  1. Payroll and personnel administration: national ID numbers, bank details, tax data, absence records. Recipients: payroll provider, tax authority, pension fund.
  2. Recruitment: applications, CVs, references. Set a short retention period for rejected candidates — commonly around 6 months unless they consent to longer.
  3. HR in general: personnel files, appraisal notes, warnings, sickness absence (which can include health data — a special category).
  4. Customers and suppliers: contact persons, order history, invoicing data. Accounting records typically follow national bookkeeping retention rules, often 5 years or more.
  5. Marketing: newsletter lists, consents, cookie data, CRM.
  6. IT operations and security: log files, access management, CCTV if you have it.

With those six categories in place, most SMEs have captured 80-90 percent of their processing — the rest is industry-specific.

The under-250 exemption — and why it rarely saves you

Article 30(5) contains an exemption: organisations with fewer than 250 employees do not have to keep the record. It sounds like a free pass for SMEs — but read the conditions. The exemption does not apply if the processing:

  • is likely to result in a risk to the rights and freedoms of data subjects, or
  • is not occasional, or
  • includes special categories of data (for example health or trade union membership) or data on criminal convictions

And here the house of cards falls: if you have even one employee, you run payroll every month. Payroll is by definition not occasional — and for every non-occasional activity, the record must be kept. The same goes for customer administration and marketing. Sickness absence data and union membership (for example dues deducted from salary) are on top of that special categories.

The conclusion from the European Data Protection Board and national authorities is clear: in practice, virtually every company with employees must keep a record covering its regular, recurring processing. The exemption at most excuses individual, genuinely occasional activities — never the company as a whole.

How to approach it

  1. Start with the six standard activities above and add anything industry-specific.
  2. Fill in the fields per activity — purpose, categories, recipients, retention, security.
  3. Use the record actively: it quickly exposes missing data processing agreements and missing retention rules.
  4. Review it on a fixed schedule, for example once a year, and whenever you adopt new systems.

A missing record can be fined (up to 10 million euros or 2 percent of global turnover in the most serious cases), but the practical risk for an SME is more down-to-earth: without the record you cannot demonstrate your GDPR work, and any audit quickly becomes uncomfortable.

How Verkta helps

Verkta's GDPR module includes a ready-made Article 30 record with the typical SME processing activities pre-filled — you adapt instead of starting from a blank page. The module reminds you about the annual review and keeps the record, your processor overview and your other GDPR documents in one place. Try it free for 14 days.

GDPR Article 30 requires a record of processing activities. Many SMEs believe the under-250-employees exemption covers them — it almost never does. Here is what the record must contain.