A processing activity, as defined by the GDPR, encompasses any operation or set of operations performed on personal data, whether automated or manual. This includes collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, and destruction of personal data.
Article 30 of the GDPR requires controllers and processors to maintain a Record of Processing Activities (ROPA) documenting each processing activity, including its purpose, categories of data subjects and personal data involved, recipients, international transfers, retention periods, and security measures. This register is a foundational compliance tool that supervisory authorities frequently request during investigations and serves as the basis for data protection impact assessments.