Records of Processing Activities Spain (Registro de Actividades de Tratamiento)

A Records of Processing Activities Spain (Registro de Actividades de Tratamiento — RAT) is a mandatory internal document required by Article 30 of Reglamento (UE) 2016/679 del Parlamento Europeo y del Consejo, de 27 de abril de 2016 (RGPD — General Data Protection Regulation), in which every data controller (responsable del tratamiento) and data processor (encargado del tratamiento) operating in Spain must document all personal data processing activities (actividades de tratamiento de datos personales) carried out within their organisation. The RAT is a core accountability tool under the RGPD — it provides a thorough, up-to-date inventory of how an organisation collects, uses, stores, shares, and deletes personal data, and serves as the primary documentation inspected by the Agencia Española de Protección de Datos (AEPD) during compliance audits and investigation proceedings.

Article 30.1 of the RGPD specifies the mandatory content of the RAT for data controllers — the organisation's name and contact details, the name and contact details of the Data Protection Officer (DPO) where applicable, the purposes of each processing activity, a description of categories of data subjects and personal data, the categories of recipients to whom personal data is or may be disclosed, details of transfers to third countries including the safeguards applied, retention periods, and a general description of technical and organisational security measures. Article 30.2 specifies the equivalent content for data processors — the same elements adapted to the processor's role, plus identification of the controllers on whose behalf they process data.

The Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD) supplements the RGPD in Spain with national specifications. The AEPD has published extensive guidance on RAT preparation, including a model registration tool (Facilita RGPD for SMEs and the thorough RAT tool for larger organisations) available through the AEPD's website at aepd.es. The AEPD also maintains the Registro de Actividades del Sector Público (RASP) — a public register of processing activities carried out by Spanish public authorities, mandated by LOPDGDD Article 31 in addition to the general RGPD Article 30 obligation.

The exemption in RGPD Article 30.5 — which allows organisations with fewer than 250 employees to avoid maintaining a full RAT — is very narrow: it applies only to organisations whose processing of personal data is not likely to result in a risk to the rights and freedoms of data subjects, is occasional, and does not involve sensitive data (special categories under Article 9 RGPD) or criminal conviction data. In practice, almost all Spanish businesses — regardless of size — must maintain a RAT because their processing of employee HR data, customer data, or marketing data regularly involves non-occasional processing that may present risks. The AEPD has confirmed that the 250-employee exemption should not be interpreted broadly.

The RAT must be maintained in writing (in paper or electronic form) and must be made available to the AEPD on request under Article 30.4 RGPD. The AEPD may request the RAT during a proactive audit, in response to a data subject complaint, or as part of a formal investigation following a personal data breach (violación de la seguridad de los datos). Failure to maintain a compliant RAT or to provide it to the AEPD upon request constitutes a violation of Article 30 RGPD, which the AEPD can sanction as an infraction under Article 83.4 RGPD — fines of up to €10,000,000 or 2% of the total worldwide annual turnover, whichever is higher. In practice, the AEPD focuses its investigations on substantive data protection violations rather than procedural documentation failures, but an absent or inadequate RAT significantly aggravates the legal situation of an organisation that suffers a data breach.

The RAT must be kept up to date — every new processing activity, change in data retention periods, new processor relationship, or new data transfer must be reflected in the RAT promptly. Article 5.1(e) RGPD requires data minimisation and storage limitation — the RAT serves as the mechanism through which these principles are implemented and documented, making it both a compliance record and an operational tool for data lifecycle management.

A Records of Processing Activities Spain is required for virtually every organisation in Spain that processes personal data — Article 30 of the RGPD applies from the first day the organisation begins processing personal data, regardless of whether it has a formal data protection programme in place.

The RAT is needed when an organisation recruits its first employee — from that moment, it processes HR data (employment records, payroll data, social security data, health data for sick leave) that must be documented as a processing activity. The LOPDGDD and the ET impose additional documentation requirements for HR data processing that are captured in the RAT.

The RAT is required when a company launches a website with a contact form, cookie tracking, or newsletter subscription — each of these creates a personal data processing activity (collection of email addresses, IP addresses, browsing data) that must be entered in the RAT with its legal basis, retention period, and security measures.

A Records of Processing Activities is needed before implementing any new technology that processes personal data — a customer relationship management (CRM) system, an accounting platform with customer data, a HR management system, or a video surveillance system. The RAT entry should be created as part of the Data Protection Impact Assessment (DPIA — Evaluación de Impacto en la Protección de Datos) process required by RGPD Article 35 for high-risk processing.

The RAT is necessary before sharing personal data with third-party service providers (encargados del tratamiento) — cloud computing providers, payroll bureaus, marketing agencies, IT support firms. A data processing agreement (contrato de encargado del tratamiento) under RGPD Article 28 is required for each provider, and the RAT documents the relationship.

The RAT is required when an organisation receives an AEPD inspection notification, a data subject access request (solicitud de acceso), or a data breach notification obligation under RGPD Article 33 — in each case, the RAT is the primary reference document for demonstrating compliance.

The Registro de Actividades de Tratamiento is also needed when onboarding new data processors (encargados del tratamiento) under Article 28 of Regulation (EU) 2016/679 (RGPD) — each new processor relationship must be reflected in the register as a new processing activity or an update to an existing one, with the Data Processing Agreement (contrato de encargo de tratamiento) referenced. The AEPD may request the full register and all associated DPAs during an inspection under Article 57.1(h) RGPD, and gaps between the register and actual processing activities are frequently cited as violations in AEPD inspection reports.

A compliant Records of Processing Activities Spain under RGPD Article 30 must contain the following mandatory elements for each processing activity, supplemented by AEPD guidance on good practice.

Data Controller / Processor Identity: Name and contact details of the organisation (data controller or processor), including its NIF, registered address, and the contact details of the Data Protection Officer (DPO) where required under RGPD Article 37 — organisations processing special category data, conducting large-scale monitoring, or operating as public authorities must appoint a DPO. The DPO's name, email, and phone number must be included in the RAT and communicated to the AEPD per LOPDGDD Article 34.

Processing Activity Name and Description: A clear name and description of each processing activity — for example, 'Management of employee HR records', 'Customer invoicing and payment management', 'Website analytics and cookie tracking', 'Video surveillance of company premises'. Each distinct purpose must have a separate entry in the RAT.

Purpose(s) of Processing: A specific, explicit statement of why the personal data is processed for each activity — for example, 'Fulfilment of employment contract obligations under ET Article 8', 'Management of customer invoicing and AEAT tax compliance', 'Marketing communications to consented customers'. The purpose must correspond to one of the legal bases listed in RGPD Article 6.1.

Legal Basis: The specific RGPD Article 6 legal basis for each processing activity — consent (consentimiento) per Article 6.1(a), contract performance per Article 6.1(b), legal obligation per Article 6.1(c), vital interests per Article 6.1(d), public task per Article 6.1(e), or legitimate interests per Article 6.1(f). For special category data (health data, biometric data, union membership, etc.) an Article 9.2 additional basis must be cited.

Categories of Data Subjects and Personal Data: The types of individuals whose data is processed (employees, customers, suppliers, website visitors, CCTV subjects) and the categories of personal data (names, email addresses, financial data, health data, location data). This matrix must be specific — 'personal data' is too vague; each data category must be identified.

Recipients and Transfers: The categories of recipients to whom personal data is disclosed — internal departments, subsidiary companies, tax authorities (AEAT), labour inspectors (ITSS), banks, marketing agencies, IT providers. For transfers outside the EU/EEA (to third countries or international organisations), the transfer mechanism must be stated — adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other Article 46 safeguard.

Retention Periods: The specific retention period for each category of data within each processing activity — for example, 'Employment records: during employment + 4 years for labour law purposes + 5 years for Social Security'; 'Customer invoicing data: 5 years per LGT Article 66 tax prescription period'; 'Marketing consent: until revoked + 3 years'. Retention periods must align with the legal minimums and maxima applicable to each data category under Spanish law (ET, LGT, LOPDGDD, Ley de Prevención de Riesgos Laborales, etc.).

Technical and Organisational Security Measures: A description of the security measures applied to each processing activity — encryption (cifrado), pseudonymisation (seudonimización), access controls, backup procedures, employee training, network security measures, and physical security for paper records. The level of detail should be proportionate to the risk profile of the processing activity.

Forms-legal.com provides this Records of Processing Activities Spain template as a starting framework. Every organisation should customise the RAT to reflect its specific processing activities and review it at least annually, or whenever a significant change in processing occurs. A qualified Data Protection Officer (DPO) or external data protection consultant should review the completed RAT for compliance with current AEPD guidance.

Key Spanish data protection authorities and references: AEPD (Agencia Española de Protección de Datos) — national supervisory authority. Facilita RGPD — AEPD's free online tool for SME RAT preparation. RGPD Article 30 — RAT obligation. LOPDGDD Article 31 — additional public sector obligations. RGPD Article 83.4 — sanctions for RAT violations.