The GDPR requires you to have a record of processing activities, see Article 30 GDPR. On demand of the authority the data controller or the data processor provides the record of processing activities.
In the ROPA you have to list every single processing, the ROPA describes the exact usage of the data, the technical and organisational measures, that you have in place for the protection of the data, it shows you who is affected by a processing and it also shows you the recipient of a processing and possible data processors are also listed there. A fundamental risk analysis should also be included in a ROPA.
easyGDPR helps you generate your own Record of Processing Activities (ROPA).