What is an application register?
An application register is an overview of all systems, software, and tools that process personal data in your organisation - from your CRM and accounting software to your email client and cloud storage.
The difference from your record of processing activities: the processing record describes the activities (what you do with data and why). The application register describes the means (which systems you use). Together they form a complete picture.
Why do you need one?
1. It supports your record of processing activities
Your processing record must list which systems are involved in each processing activity. Without an application register, you’ll be guessing which tools you use every time you update it.
2. It helps during data breaches
During a data breach, you need to quickly determine which systems are affected and what data they contain. You have 72 hours to notify the supervisory authority - you don’t want to spend that time figuring out which systems you have.
3. It makes processing agreements manageable
For every vendor that processes personal data on your behalf, you need a Data Processing Agreement (DPA). Your application register shows at a glance where you already have an agreement and where one is missing.
What to document per system
| Field | Description | Example |
|---|---|---|
| Name | Name of the system or tool | HubSpot CRM |
| Vendor | Company name of the vendor | HubSpot Inc. |
| Category | Type of system | CRM |
| Data types | Which personal data is processed | Name, email, phone number, interaction history |
| Data subjects | Whose data is involved | Customers, leads |
| Storage location | Where is data stored | EU (Frankfurt) |
| Processing agreement | Is a DPA in place | Yes, signed 15-03-2024 |
| Internal owner | Who manages this system | Marketing team |
Practical example
A sample register for a small business:
| System | Vendor | Data types | Location | DPA |
|---|---|---|---|---|
| Google Workspace | Google LLC | Email, documents, calendar | EU | Yes |
| Exact Online | Exact | Invoices, customer data, bank details | NL | Yes |
| Mailchimp | Intuit Inc. | Email, name, behavioural data | US (SCC) | Yes |
| Teamleader | Teamleader NV | Customer data, quotes, invoices | BE | Yes |
| WordPress + WooCommerce | Self-hosted | Customer data, orders | NL (own hosting) | N/A |
| Slack | Salesforce | Messages, files | US (SCC) | No - action needed |
The Slack entry immediately reveals a missing processing agreement. That is exactly the value of the register.
How to get started
- Inventory all systems. Walk through each department and ask which tools they use. Don’t forget mobile apps and free tools
- Check your invoices. Your accounting records show which software you pay for
- Scan your website. GDPRWise automatically detects which external services your website uses
- Document each system. Fill in the fields listed above
- Check processing agreements. Verify whether you have a DPA for each system
Keeping it current
Check at least twice a year whether your register is still accurate. Make it a habit to add every new system immediately and verify the processing agreement.
Scan your website and GDPRWise automatically maps which external services and tools process personal data. Your application register is the starting point.