GDPR Article 30: Records of Processing
Article 30 requires controllers to maintain accurate records of their processing activities, including the processors and sub-processors they use and where data is transferred. A vendor register that stays current is the foundation.
The hard part is keeping records current
Article 30 records become inaccurate the moment a vendor adds a sub-processor, moves infrastructure to a new region, or changes their processing locations. Most organisations update their ROPA annually at best. VendorTrace monitors your vendor stack continuously and alerts you when a change occurs that may require a records update.
Records of processing activities
“Each controller shall maintain a record of processing activities under its responsibility. That record shall contain: the name of the controller, the purposes of the processing, the categories of data subjects and personal data, the categories of recipients, transfers to third countries, and where possible the envisaged time limits for erasure.”
How VendorTrace supports this obligation
- Vendor register documents every third-party processor with their service category and data handling role
- Data classification on each vendor: customer data, employee data, sensitive data
- Sub-processor list published on your trust page for transparency with data subjects and auditors
- Transfer signals from vendor scans identify which vendors serve from outside the EEA
Third-country transfers and safeguards
“Where applicable, records must document transfers of personal data to a third country or international organisation, including the identification of that third country and the documentation of suitable safeguards.”
How VendorTrace supports this obligation
- Vendor scan identifies observed serving regions and hosting locations for each vendor
- Transfer risk classification flags vendors with infrastructure outside the EEA
- Vendor register stores DPA URLs and safeguard details (SCCs, adequacy decisions) per vendor
- Change detection alerts you when a vendor's geographic footprint changes
Processor due diligence
“Controllers shall only use processors providing sufficient guarantees to implement appropriate technical and organisational measures. Processing by a processor shall be governed by a contract or other legal act.”
How VendorTrace supports this obligation
- Assess: send structured security questionnaires to vendors before and after onboarding
- Collect formal responses and store them alongside scan evidence for each vendor
- Document vault stores vendor-supplied DPAs, certifications, and questionnaire responses
- Audit-logged review workflow provides evidence that due diligence was performed
What VendorTrace does not do
VendorTrace supports the evidence gathering and monitoring that underpins Article 30 compliance. It does not produce a legally complete ROPA by itself. Your ROPA must be reviewed and approved by a qualified DPO or legal counsel who can confirm the legal basis for each processing activity, assess adequacy of safeguards, and sign off on the record. VendorTrace gives them the current, accurate data to work from.
Build a vendor register that stays accurate
Import your vendors, scan their infrastructure, and get alerted when anything changes. The Free plan needs no credit card.