How to work with processing activities
Summary
The Processing Activities module provides a structured, compliant, and automated way to maintain your GDPR Article 30 privacy register. By linking it with ISOPlanner’s Assets, Risks, and Controls, you ensure full traceability and simplified audit preparation.
Processing activities
Where to find it in ISOPlanner: https://portal.isoplanner.app/processingactivities/overviewThe Processing Activities page provides an overview of all registered processing activities within your organization. Each record shows key details such as its name, role, owner, and the data involved. Typical columns include:
- Name – The descriptive title of the activity (for example, Camera surveillance).
-
Code – A unique identifier automatically assigned to each activity.
-
Owner – The person responsible for maintaining this record.
-
Role – Specifies whether your organization acts as Controller or Processor for this activity.
-
Status – Indicates whether the record is in Concept, Approved, or Archived status.
- Retention period – fixed period can be set for the Processing activity or it can be set to “From information Assets” as a reference to the Retention period set on the linked Asset.
-
Data – Shows which Information Assets are linked to the activity with the actual Asset information (Location, Retention period and Classification of the Asset) visible.
-
Data classifications – Displays any linked classification from those assets.
-
Data subject scale – Indicates the approximate number of data subjects affected (for example, 1K–10K).
-
DPIA checklist status – Displays the status of the DPIA Checklist task (for example, Requested or Completed).
-
Transfers outside the EEA – Indicates whether personal data is transferred outside the European Economic Area.
-
Tags – Optional labels you can use for categorization or reporting.
You can customize which columns are displayed via View → Select Columns and add or remove filters using the Filter button. Filters are available for Role, Status, Owner, Data, Classifications, Data subject scale, DPIA checklist status, Transfers outside the EEA, Shared with, and Tags.
Creating and editing a processing activity
Click Add to create a new processing activity, or select an existing one and click Edit. Each record contains general header fields followed by three detailed tabs: Purpose of Processing, Processed Data, and Stakeholders.
General fields
-
Owner – Defines who is responsible for maintaining this record.
-
Shared with – Specifies who can view or edit the activity (for example, Everyone).
-
Role – Choose whether your organization acts as Controller or Processor. The controller determines the purposes and means of processing; a processor acts on behalf of a controller.
-
Status – Indicates the lifecycle state of the record: Concept (draft), Approved (validated), or Archived (no longer active).
-
Start / End – Optional start and end dates for the processing activity.
-
Retention period – Specify how long the personal data will be retained. You can select an existing value or add a new one.
-
When adding a new value, ISOPlanner automatically checks for possible duplicates using AI. -
For example, if you add “7 days” while “1 week” already exists, ISOPlanner suggests they might be duplicates. This helps keep your data standardized.
-
-
Tags – Add one or more labels to categorize your processing activity. You can search existing tags or create new ones.
Tabs
Each processing activity contains three tabs that structure your privacy documentation.
1. Purpose of processing
Use this tab to describe why the personal data is processed.
-
Purpose of processing – Enter the specific purpose of the processing (for example, Personnel administration, Customer management). Describe it as concretely as possible, avoiding vague terms like “general purposes.”
-
Description – Optionally enter additional information about this processing activity, for example for internal documentation or audit explanation.
2. Processed data
This tab describes what data is processed and how it is categorized.
-
Data (Information Assets) – Select the information assets that are processed (for example, employee data, financial records). This section links directly to the Information Assets in your ISOPlanner environment and shows the Location, Retention Period and Classification of each Asset (from the Suppliers and Asssets menu).
-
Data Subjects – Select the categories of data subjects involved (for example, employees, customers, suppliers). Describe them clearly to avoid ambiguity.
-
Number of Data Subjects – Select the scale of the number of data subjects involved.
-
The number of affected data subjects must be reported to the supervisory authority in case of a breach (GDPR Article 33(3)).
-
Large-scale processing is also relevant when assessing whether a Data Protection Officer is required (GDPR Article 37(1)).
-
-
Categories of Personal Data – Select the categories of personal data being processed (for example, contact details, health data, financial information). Use clear and specific terms.
-
Legal Basis for Processing – Select the legal basis for the processing (for example, consent, contract, legitimate interest). Ensure that the legal basis matches the described purpose.
Linking assets and suppliers
When you link Information Assets and Suppliers (for example, processors or recipients) to a processing activity, ISOPlanner automatically analyses their attributes to determine data flows and locations.
Each linked Information Asset can contain fields such as Location and Data classification, while each Supplier may have a Country of processing or Data storage location.
The field Transfers outside the EEA is automatically derived from these linked records.
For example:
-
If a processor or supplier is located in the United States, or if an asset’s storage location is set to a non-EEA country, ISOPlanner will flag that a transfer outside the EEA occurs.
-
If all linked assets and suppliers are within the EEA, the field will indicate No transfers.
To ensure accurate results, keep the Location field in your Information Assets and Suppliers up to date. ISOPlanner uses this data to pre-fill transfer information and suggest required safeguards (such as Standard Contractual Clauses).
Below the main form, ISOPlanner automatically displays:
-
Transfers outside the EEA – Deduced from the locations of processors and recipients.
-
Required safeguards – Automatically determined based on those transfers. For example, if data leaves the EEA, ISOPlanner may suggest additional safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
3. Stakeholders
Use this tab to describe who is involved in the processing activity — both internally and externally.
-
Processors (Suppliers) – Select the processors involved in this processing activity (for example, payroll provider, cloud service provider). If you are the Processor, select your sub-processors instead. Ensure that a valid Data Processing Agreement (DPA) is in place with each processor. For each of the added Suppliers (where applicable) the underlying assets and the classification (from the menu Suppliers and Assets) of the supplier is visible
-
Recipients (Suppliers) – Select the recipients who may receive the personal data (for example, IT service providers, HR or payroll services, logistics providers).
-
Other Recipients (Categories) – Select the categories of recipients who may receive the personal data (for example, tax authorities, business partners). Be precise to ensure accountability.
-
Joint Controllers (Suppliers) – If you share responsibility with another organization, select the involved suppliers and attach a Joint Controller Agreement from the Library (GDPR Article 26).
-
Responsible Entities – Select the organizational unit(s) that act as (joint) controllers for this processing activity.
-
Executing Entities – List the internal entities that carry out the processing activities.
-
If you are a Processor, examples include the IT Operations or Customer Support team.
-
If you are a Controller, examples include the HR department or Sales department.
-
Related information
On the right-hand side, you will find the Related information panel. It contains several tabs that help you connect the processing activity with other parts of ISOPlanner.
-
Context – Shows related Processes, Risks, and Controls. You can search and add links using the search field at the bottom.
-
Activities – Displays internal discussions or comments related to the processing activity.
-
Library – Allows you to attach relevant files or documents from the Library, such as contracts or data protection agreements.
-
Changelog – Provides a complete history of all changes made to this processing activity, including the user, action type, and timestamps.
For more details, see the generic article Related Information.
Compliance check
Click the Compliance check button in the menu Next actions on the toolbar start the compliance check.
- Any missing fields are reported.
- When the AI Assistent is enabled, the content of each field is checked in accordance with the GDPR.

DPIA Preliminary assessment
Applies to Business and Premium subscriptions
Click the DPIA Preliminary assessment button in the menu Next actions on the toolbar to open a predefined task template that helps determine whether a Data Protection Impact Assessment (DPIA) is required. The checklist contains a set of guided questions that help you evaluate necessity and risk. The status of the checklist (for example, Requested or Completed) appears in the DPIA checklist status column in the overview.
Approval
Applies to Business and Premium subscriptions
You can set-up approvals for processing activities. This way, users without a paid license can create a processing activity and request approval. Users who are granted the permission to approve receive a task to do so. In combination with the DPIA preliminary assessment and the AI compliance check, the whole process is streamlined and manual steps are reduced.
- Concept processing activity is created with basic information.
- DPIA preliminary assessment is completed.
- The processing activity is updated and more details are filled in.
- Compliance check is carried out. The AI Assistant gives advice if enabled.
- The processing activity details are completed.
- A request for approval is made.
- The authorized persons review the processing activity.
- The processing activity is Approved or Rejected.
Configuration
- In the role permissions, a user must have ‘Create processing activity‘ permissions to start. An administrator can grant these permissions.
- People who need to approve must have ‘Approve processing activity‘ permissions.
- In the processing activity module settings, the approvers and optionally reviewers must be selected.
- Optionally, the system form ‘Processing activity approval’ can be adjusted in menu Organization / Forms. By default, the fields ‘CISO advice’ and ‘DPO advice’ are created.
When this is set-up, users who have create permission but no approve permissions see an option ‘Request approval‘ under the ‘Next actions‘ button on the toolbar. When the request is created, approvers and reviewers will receive a task and e-mail notification. Reviewers can use the field on the form to give advice but cannot approve. When the processing activity is rejected, the owner is notified by email. By default, the owner is the person who created the processing activity. The owner can view the report of processing activity details to view the comments (why it was rejected). When the processing activity is approved, the status is set to Approved and the owner is notified by e-mail. After approval, the processing activity becomes read-only when the user does not have a paid license. For paid licenses, the processing activity can be edited based on their authorization.
Reports
For processing activities, the following reports are available.
- Processing activities. This report generates a list of basic information of all processing activities with at the top a pie chart over the status.
- Processing Activity Details. This report generates a report of the selected processing activity. The report includes all core information such as the purpose, processed data, stakeholders, and related links. Reports can be shared internally or exported for audits and documentation.
- Processing activities and Data subjects. This report generates a list of processing activities per data subject. For each processing activity, the related information assets are shown, including their classifications, processors and recipients.
- Suppliers and processing activities. This report lists processing activities per supplier, which role the supplier has and what the status is. This report is available from the list of Suppliers and Assets or in the menu Reports.
Tips and automation
-
Use Tags consistently to organize and filter your privacy register.
-
Keep Retention periods standardized to ensure consistent reporting.
-
Regularly review the Changelog for audit and accountability purposes.
-
Combine Processing Activities with Risks and Controls to demonstrate compliance with ISO 27701 and GDPR Article 30.
-
When linked Processors or Recipients are located outside the EEA, ISOPlanner automatically identifies possible transfers and required safeguards.
-
AI suggestions help prevent duplicate entries and improve data quality across dropdown fields such as tags, categories, and retention periods.
Related resources