Processing register

On this page: registry, processing activities, project register, administration Date of last review: 2022-01-05

Any EU-based organisation is required to keep a registry of processing activities from within their organisation (art. 30). If you are performing research with human subjects, the odds are that your research project will have to be registered in such a register as well. Such a register should contain who are processing the personal data, for what purpose, which personal data are processed, with whom the data are shared, and how the data will be protected.

Notably, the GDPR does not prescribe what such a register should look like exactly, and thus every institution has their own way in which the processing register is implemented and managed. Ask your local privacy officer how your institution registers research projects that process personal data.

At Utrecht University, a university-wide processing register is currently being developed. For the time being, other administrative systems and documents such as the Data Management Plan, the privacy scan, the DPIA and/or the ethical application may function as a processing register. Please ask your privacy officer for more information about how your faculty handles this.