Skip to content
OneClubOneClub
GlossaryLegal

Record of Processing Activities (RAT)

Internal document mandated by GDPR inventorying every personal-data processing activity the club performs: purpose, categories, legal basis and retention.

Definition

The Record of Processing Activities (RAT, GDPR art. 30) is the internal inventory where the controller lists every personal-data processing activity. For each activity it must include: name and contact of the controller (and DPO if applicable), purpose, categories of data subjects and data, recipients (third parties to whom data is shared), international transfers if any, retention periods and a description of technical and organisational security measures.

The RAT is not published — it is internal documentation shown to the AEPD on request. It can be kept as a spreadsheet, Word doc or specialised tool. The key is to keep it current and reflective of the club's reality.

When does it apply?

Mandatory for every controller, with no practical minimum threshold (the art. 30.5 exception is very narrow and rarely applies to clubs). Create the RAT at incorporation and review it at least yearly or whenever something changes (new software, new sport section, change of accountant).

Practical example

C.D. Atlético Local's RAT records eight activities: 1) Member management (purpose: onboarding, exits and fees; data: identification + financial; basis: contractual; retention: member lifetime + 5 years), 2) Billing (purpose: SEPA and Stripe; basis: contractual; processor: Stripe Payments Europe), 3) Email communication (basis: contractual; processor: Brevo), 4) Federation registration (basis: legal obligation), 5) Social-media image (basis: explicit consent; revocable), 6) LOPIVI - incident log (basis: legal obligation), 7) HR and payroll (basis: employment), 8) Federation liaison. Each takes a row in a spreadsheet that the secretary reviews every September.

Common mistakes

  • Thinking a small club doesn't need one: the art. 30.5 exception is very restrictive.
  • Listing only 2-3 activities: most clubs have 6-10 distinct activities.
  • Not updating after changes: every new software or comms channel is a new activity or processor.
  • Confusing the RAT with the privacy policy: the RAT is internal; the policy is public.

Related terms

If you care about this term, you probably also wonder about these:

Go deeper

Long-form guides and product pages where we cover this topic in depth:

This is not specific legal or tax advice

Information as of May 2026. Regulation evolves and every club has its own casuistry (region, federation, size, activities). For your specific case talk to a lawyer or tax advisor specialised in Spanish sports law.

Move from Excel to software built for sports clubs

SEPA + card payments with Stripe, member portal, player onboarding, ticketing. Free up to 50 members, no card required.