GDPR records of processing 2026: SME template & CNIL fines

Updated 24 May 2026 — written by Hayot Expertise, French chartered accounting firm in Paris 8.

Article 30 of the General Data Protection Regulation (EU 2016/679) requires almost every organisation processing personal data — including French SMEs — to keep a record of processing activities. Since GDPR came into force on 25 May 2018, the record has become the central piece of the compliance file, systematically reviewed by the CNIL in any audit.

In practice, the record is still one of the most neglected items in French SME compliance, behind cookie banners and privacy notices. The sanctions are no longer theoretical: the CNIL has issued several six-figure fines in 2023-2024 in which an absent or weak record was part of the findings.

This article maps the 2026 framework: who is in scope, what the record must contain, how to organise it, and which mistakes the CNIL flags most often in SME audits.

Article 30(5) GDPR provides a narrow exemption requiring four cumulative conditions:

• fewer than 250 employees;
• AND processing is occasional (not regular);
• AND processing is unlikely to result in a risk to data subjects;
• AND processing does not relate to special categories of data or to criminal data.

As soon as an organisation handles payroll, a recurring customer base, CCTV or employee monitoring, the exemption falls. In practice, virtually every active French SME must keep a record. The CNIL says so clearly in its SME template.

2.1 Controller record (article 30(1))#

For each processing activity:

2.2 Processor record (article 30(2))#

For each category of processing carried out on behalf of a controller:

• processor and controller identification;
• categories of processing;
• transfers outside the EU;
• security measures.

A French accounting firm is typically both: controller for its own HR data, processor when running payroll or accounting for client companies.

The CNIL publishes a model record for French SMEs. A few practical principles:

1. One record, many sheets. One sheet per processing activity (payroll, recruitment, customer management, prospecting, CCTV).
2. Medium granularity. Too granular = unmanageable. Too broad = imprecise. Aim for one sheet per business purpose, not per tool.
3. Versioning. Every update is dated. CNIL inspectors value traceability over time.
4. Internal confidentiality. The record is an internal document on a secured medium. No public disclosure required.
5. Link with DPIA. High-risk processing identified in the record triggers a DPIA under article 35 GDPR.

Field perspective. For a 30-80 employee SME, expect 8 to 15 processing sheets. Less suggests under-mapping; more often signals excessive granularity and unmanageable upkeep.

HR sits at the heart of an SME record and concentrates CNIL audit attention:

Classic mistake: invoking employee "consent" for processing that actually rests on legal obligation or legitimate interest. Consent given by an employee to an employer is generally deemed flawed under EDPB guidance, because of the imbalance of powers.

Article 28 GDPR requires a written contract (Data Processing Agreement, DPA) between controller and processor, covering:

• subject and duration;
• nature and purpose;
• categories of data and subjects;
• controller's rights and obligations;
• processor confidentiality engagement;
• prior authorisation for sub-processors;
• assistance with data subject rights and security;
• return or deletion of data at the end of the engagement.

In practice, an accounting firm signs a DPA with every software vendor (Pennylane, Cegid, Silae, etc.) and with every client whose payroll it processes. The CNIL has published clause examples in 2022 and 2024.

GDPR sets two fine ceilings (article 83):

CNIL's published sanctions show in 2024-2025:

• more SME and start-up sanctions on top of big-tech cases;
• a wide spread of amounts, from a few thousand euros for isolated breaches to several million for systemic failings;
• heightened focus on data security and excessive retention periods.

Absent or weak records are rarely the sole finding but routinely accompany the heavier sanctions — they signal a broader compliance failure.

1. "Generic template copy-paste" with no adaptation to the actual business. CNIL inspectors spot stereotypical sheets immediately.
2. Mixing purpose and tool. The processing is "payroll production", not "Silae" or "Pennylane". The tool belongs in the recipients / processors column.
3. Loose legal bases, particularly on HR processing where consent is invoked instead of legal obligation or legitimate interest.
4. No annual review. Records age quickly: new processing not added, obsolete processing not removed.
5. Missing processor record. A firm that only keeps a controller record and forgets the processor record exposes itself to a standalone finding.

Does an SME with fewer than 10 employees need a GDPR record?#

Almost always, yes. The article 30(5) exemption requires processing to be both occasional, low-risk and free of sensitive or criminal data. As soon as payroll or a recurring customer base is processed, the exemption no longer applies.

What is the difference between controller and processor records?#

The controller record covers processing the organisation decides for its own purposes (article 30(1)). The processor record covers processing carried out on behalf of clients (article 30(2)). An organisation can be both at once.

Does the record need to be public?#

No. It is an internal document, but must be produced to the CNIL on request during an audit.

Is a DPO mandatory?#

Not always. Article 37 GDPR makes a DPO mandatory for public authorities, large-scale processing of sensitive or criminal data, and large-scale systematic monitoring. For most SMEs outside healthcare, designation is voluntary — but recommended by the CNIL.

What is the maximum fine for a record breach?#

For an article 30 breach alone: up to €10m or 2 % of worldwide turnover (article 83(4)). For substantive breaches: up to €20m or 4 % (article 83(5)).