GDPR Role & Retention Mapper
Map GDPR data processing roles (Controller, Processor, Joint Controller), define data processing activities, calculate retention periods by data type and jurisdiction, select legal bases, assess pseudonymization needs, and generate Article 30 Records of Processing Activities.
GDPR Data Mapping Challenges?
Our team maps data flows, determines controller/processor relationships, and implements retention policies.
What Is GDPR Role and Retention Mapping
The General Data Protection Regulation (GDPR) requires organizations to define clear data processing roles and implement retention policies that limit how long personal data is stored. Role mapping identifies whether each entity in your data processing chain is a Controller (determines purposes and means of processing), Processor (processes data on behalf of a Controller), or Joint Controller — each role carrying distinct legal obligations.
Retention mapping ensures that personal data is not kept longer than necessary for its stated purpose, a core principle of GDPR known as storage limitation (Article 5(1)(e)). Together, role and retention mapping form the operational backbone of GDPR compliance, answering two critical questions: who is responsible for this data, and how long can we keep it?
GDPR Roles Explained
| Role | Definition | Key Obligations | Example |
|---|---|---|---|
| Controller | Determines purposes and means of processing | Lawful basis, data subject rights, breach notification (72h), DPIA | Company using CRM to manage customer relationships |
| Processor | Processes personal data on behalf of Controller | Follow Controller instructions, security measures, breach notification to Controller | Cloud hosting provider storing customer database |
| Joint Controller | Two+ entities jointly determine purposes | Transparent arrangement defining responsibilities, single point of contact for data subjects | Two companies running a joint marketing campaign |
| Sub-Processor | Processor engaged by another Processor | Same obligations as Processor, Controller must approve engagement | CDN provider used by the cloud host |
Retention Period Guidelines
| Data Category | Typical Retention | Legal Basis |
|---|---|---|
| Customer transaction records | 6-7 years | Tax and accounting law |
| Employee records | Duration of employment + 6 years | Employment law, limitation periods |
| Marketing consent records | Until consent is withdrawn | GDPR Article 7 |
| Website analytics | 26 months (GA default) | Legitimate interest |
| CCTV footage | 30 days | Legitimate interest |
| Job application data | 6-12 months after decision | Legitimate interest for legal claims |
| Medical records | Varies by jurisdiction (often 10+ years) | Legal obligation |
Common Use Cases
- GDPR compliance audit: Map every personal data processing activity to a defined role (Controller/Processor) and documented retention period
- Data Processing Agreement (DPA) preparation: Identify all Processor relationships that require DPAs under Article 28, and define retention requirements in each agreement
- Records of Processing Activities (ROPA): Build the Article 30 register by documenting each processing activity with its role classification, purpose, retention period, and legal basis
- Data minimization implementation: Identify data stores where personal data is retained beyond its stated purpose and implement automated deletion
- Vendor assessment: Evaluate whether third-party vendors are correctly classified as Processors or Controllers and verify their retention practices align with your policies
Best Practices
- Document roles for every data flow — Map each personal data processing activity to a specific role. A single vendor might be a Controller for some data (their own analytics) and a Processor for other data (your customer records).
- Set specific retention periods, not indefinite — "As long as necessary" is not a valid retention policy. Define concrete timeframes based on legal requirements, business need, or data subject expectations.
- Automate deletion — Manual retention enforcement fails at scale. Implement automated data lifecycle management that flags or deletes data when its retention period expires.
- Review retention annually — Business needs and legal requirements change. Review retention schedules at least annually and after any significant change in processing activities.
- Include backups in retention scope — Backup copies of personal data are still personal data. Ensure backup retention aligns with your defined periods and that restoration processes account for deletion requests.
Frequently Asked Questions
Common questions about the GDPR Role & Retention Mapper
A data controller determines the purposes and means of processing personal data (decides why and how data is processed). A data processor processes data on behalf of the controller (follows the controller's instructions). Joint controllers occur when two or more entities jointly determine processing purposes. Each role has different obligations under GDPR.
Article 30 of GDPR requires controllers and processors to maintain written records of processing activities. Records must include: purposes of processing, categories of data subjects and data, recipients, international transfers, retention periods, and security measures. This tool generates Article 30 compliant records.
Retention periods depend on: legal requirements (tax records: 7 years, medical records: varies by jurisdiction), contractual obligations, legitimate business need, and data minimization principle. Under GDPR, data must not be kept longer than necessary for its purpose. This tool calculates retention periods based on data type and jurisdiction.
GDPR Article 6 defines six legal bases: Consent (freely given, specific, informed), Contract (necessary for contract performance), Legal Obligation (required by law), Vital Interests (protecting life), Public Task (official authority or public interest), and Legitimate Interests (balanced against data subject rights). Each processing activity must have a valid legal basis.
A DPIA is required under GDPR Article 35 when processing is likely to result in high risk to individuals. This includes systematic profiling, large-scale processing of special categories, and public area monitoring. The DPIA must describe processing, assess necessity and proportionality, identify risks, and define mitigation measures. This tool includes a DPIA necessity checker.
Explore More Tools
Continue with these related tools
ℹ️ Disclaimer
This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.