The obligation to document processing activities is intended to encourage the company to become aware of its own data processing activities. The records of processing activities also serve as orientation point for data protection supervisory authorities when they review the lawfulness of the handling of personal data.

When defining and subsequently documenting processing activities, the purpose is decisive: What is the purpose of the respective processing and how does it differ from other processing activities? In contrast, the type and method of processing (paper, electronic) is not decisive. Nor should a distinction be made between individual processing steps, but rather between the overriding purpose.

Both so-called "controllers" (the ones who define purposes and means of a processing activity) as well as so-called "processors" (the ones who act as service providers and act based on instructions from the controllers) have to draft records of processing activities. However, the scope of documentation is much broader for controllers. Processors must support controllers with the fulfillment of the controller’s extended documentation duties.

The law does not specify the means by which processing activities must be documented. While documentation using a data protection management system is recommended in larger companies, it is sufficient for companies with few data processing activities to use an Excel or Word template.