Processing records often exist — but they are not operationally useful. A Word document updated annually cannot show the current state of processing activities, legal bases, or retention periods.
EAB structures the Article 30 processing register as a live governance layer — linked to vendors, TOM profiles, DPIAs, and the AI governance record where personal data is processed by AI systems.
“Every GDPR-regulated organisation maintains a processing register. Most update it once a year. None can show the exact state of processing activities on a specific date in the past — the date when a data subject's request was received, or when a breach occurred, or when a supervisory authority asks to see the record.”
The Verarbeitungsverzeichnis module structures Article 30 processing records as governed objects — not a static document, but a live register with structured fields, ownership, and a history of changes. Each processing activity has all required Article 30 elements: purpose, legal basis, data categories, recipients, transfers, retention periods, and safeguards.
Processing records are linked to vendor records — so the processors supporting each activity are visible in the register. TOM profiles are linked to processing activities — so the safeguards protecting each activity are part of the record. DPIA triggers are assessed per processing activity.
For processing activities that involve AI systems, the processing record is linked to the AI system governance record — so the AI Act obligations and the GDPR processing record are connected in one governance infrastructure, not maintained separately.
Each capability is connected to the shared system inventory, evidence layer, and audit trail.
Each processing activity is documented with all Article 30 required fields — purpose, legal basis, data categories, recipients, transfers, retention period, and safeguards. Structured fields, not a free-text register.
The legal basis for each processing activity is documented and tracked. For special category data under Article 9, the applicable exemption is documented separately. Legal basis changes trigger a governance event in the record.
Processing activities involving AI systems are linked to the AI system governance record. The GDPR processing record and the AI Act obligation record share one system inventory — so the connection between personal data processing and AI use is explicit.
Vendors supporting each processing activity are linked from the processing record — showing the processor relationship, DPA status, and sub-processor chain. No separate cross-referencing between register and vendor list required.
Each processing activity is assessed for DPIA trigger criteria — high risk, systematic monitoring, large-scale special category data, and automated decision-making. DPIA requirements surface from the register automatically.
The processing register is exportable in a format suitable for supervisory authority submission. The export reflects the current state of the register — with version history showing previous states at any point in time.
The Verarbeitungsverzeichnis module uses the same system inventory as the EU AI Act module. AI systems in the processing register are the same systems that are registered and governed in the EU AI Act module — no separate AI system list to maintain.
Vendor records, TOM profiles, and evidence artefacts are shared across the GDPR module and the EU AI Act module. An organisation that uses an AI system to process personal data has one governance record — not separate GDPR and AI Act records that reference each other by name.
At audit time, whether a supervisory authority is reviewing GDPR compliance or EU AI Act compliance, the governance record is one coherent infrastructure — system inventory, processing register, vendor governance, TOM profiles, and AI Act obligations connected.
Available as part of the GDPR Module for Professional and Enterprise. Shares one system inventory, one evidence layer, and one audit trail with the EU AI Act module.
EU-hosted · Anchored to CELEX 32024R1689
Tell us about your organization and what you’re looking to address. We’ll follow up with the relevant information.
