How to set up a GDPR processing register
- KVK Editors
- The basis
- 23 September 2022
- Edited 12 May 2025
- 3 min
- Rules and laws
If you work with personal data, you must comply with the EU privacy regulation GDPR. This law says you must create a processing register. In this register, you record what data you use and why you use it.
Personal data is data that says something about someone. This includes a name, address, and telephone number, but also customer and employee numbers, online purchasing behaviour, and video and audio recordings in which a person is recognisable.
You must have a processing registerÂ
Under the GDPR (AVG in Dutch), you must follow a number of rules when working with personal data. For example, you must draw up a privacy statement, properly secure the data you collect, and keep a processing register. This register helps you prove that you comply with the GDPR rules.
A processing register is mandatory. If you do not have a register, or if it does not meet the requirements, the Dutch Data Protection Authority (AP) may impose a . The amount of the fine depends on the violation.
How to create and maintain a processing register
In a processing register, you record which personal data you process and for what purpose. This means that you do not store the names and addresses of, for example, customers in your register.
There is no fixed format for making your register. You are free to decide how to set it up. Some sector organisations have a sample processing register that you can use as a basis.
According to the GDPR, the processing register must contain the following information:
- The details of the entity or person who determines which personal data your business collects and for what purpose: the controller. This could be you, or your legal entity, your BV for example.
- The reasons for which you process the personal data. You determine these before you start processing personal data. Examples include delivering products, recruiting and selecting staff, or direct marketing.
- The group of people whose data you process, such as customers or employees. These are the data subjects.
- The type of personal data you process for each purpose. For example, name, address, place of residence, and IP address.
- Whether and who else receives personal data. For example, do you send orders via a parcel service? Then you share the customer's personal data with the delivery service provider.
- You record the measures you take to protect the personal data. An example of a security measure is setting up multi-factor authentication for documents or your laptop.
- Some personal data must be kept for a number of years by law. For example, you must keep your financial records for 7 years for the Netherlands Tax Administration. If you process data for which there is no legal retention period, do not retain the data for longer than necessary. In that case, state in your processing register that you will delete the data as soon as you no longer need it.
- If you share personal data with businesses or organisations outside the EU, you must record this in the processing register. For example, if you use software from a company outside the EU to send newsletters.
If you start processing new personal data, you must update the register. For example, when you start a new business process, such as sending newsletters. This will keep the processing register up to date and ensure that you continue to comply with privacy legislation.
The following video (in Dutch) explains how to set up a GDPR processing register.
AVG: verwerkingsregister
Not mandatory, but wise
Every time you process personal data, you are infringing the privacy of the people concerned. So, you may only process personal data if you cannot achieve your purpose without this data. This means that you must have a valid reason for processing personal data: a legal . These bases are laid down in law.
An example of a basis is performance of a contract. This applies, for example, if you need a customer's details to deliver an order.
A legal basis for collecting personal data is a GDPR obligation. However, it is not mandatory to state this in the processing register. Nevertheless, it is wise to note the legal bases there as well. This way, you can be sure that you comply with the GDPR obligation to have a legal basis for collecting personal data.
Example of a processing register
Responsible for processing:
Alex Computershop
Alex van de Kamer
alex@computershop.nl - 06-12345678
Processed data from customers
| Â | Online sales | Newsletter |
|---|---|---|
| Purpose | Order deliveries, meeting contract obligations | Inform about promotions |
| Involved | Customers | Customers |
| Type of data | Name, address, email address, phone number, payment details | Email address |
| Recipients | Postal services, hosting provider, Payment Service Provider | Newsletter system |
| Legal basis | Contract obligation | Consent |
| Retention period | Fiscal record retention duty, 7 years | Until customer unsubscribes |
| Safety measures | Security software, SSL | Via secured mail server |
Processed data from staff and suppliers
| Â | Employee wage payment | Purchasing |
|---|---|---|
| Purpose | Pay wages, administration duty | Purchasing materials, maintaining contact |
| Involved | Employees | Suppliers |
| Type of data | Address and bank details, BSN, ID copy, employment contract details |
Phone number, |
| Recipients | Payroll services provider | n.a. |
| Legal basis | Contract obligation | Contract obligation |
| Retention period | Fiscal record retention duty, 7 years | Fiscal record retention duty, 7 years |
| Safety measures | Via secured payment system | Multifactor Authentication |
Please note: These examples are incomplete, and no rights can be derived from them.
