Records of Processing Activities

Records of Processing Activities under the GDPR

Article 30 GDPR requires every controller and processor to maintain a Record of Processing Activities (ROPA). This record is one of the most fundamental documentation requirements under the GDPR and serves as the backbone of your accountability obligations.

The ROPA must be in writing, including in electronic form, and must be made available to the supervisory authority on request. It is not a one-off exercise but a living document that must be kept up to date as processing activities change.

Mandatory Contents for Controllers (Art. 30(1))

The record maintained by a controller must contain the following information for each processing activity:

• Name and contact details of the controller, any joint controller, the controller's representative, and the DPO
• Purposes of the processing
• Categories of data subjects (e.g. customers, employees, website visitors)
• Categories of personal data (e.g. name, email, payment data, health data)
• Categories of recipients to whom the data is or will be disclosed, including recipients in third countries
• Transfers to third countries or international organisations, including identification of the country and the safeguards in place (see International Data Transfers)
• Retention periods or criteria for determining the retention period for each data category
• Description of technical and organisational measures (Art. 32) where possible (see TOMs guide)

Mandatory Contents for Processors (Art. 30(2))

Processors must also maintain records, though the required content is slightly different:

• Name and contact details of the processor(s), each controller on whose behalf the processor is acting, and the DPO
• Categories of processing carried out on behalf of each controller
• Transfers to third countries or international organisations, including safeguards
• Description of technical and organisational measures where possible

Exceptions from the Obligation (Art. 30(5))

The record-keeping obligation does not apply to organisations employing fewer than 250 persons, unless:

• The processing is likely to result in a risk to data subjects
• The processing is not occasional
• The processing includes special categories of data (Art. 9) or data relating to criminal convictions (Art. 10)

In practice, this exception is extremely narrow. Nearly every organisation that regularly processes employee or customer data will fall within the obligation. Supervisory authorities consistently recommend that all organisations maintain a ROPA regardless of size.

Practical Implementation

Building your ROPA can seem daunting, but a systematic approach makes it manageable:

Step 1: Inventory All Processing Activities

Start by identifying every processing activity across all departments. Common categories include: HR and payroll, customer relationship management, marketing and analytics, IT administration, facility management, and procurement.

Step 2: Assign Ownership

Each processing activity should have a designated owner who is responsible for keeping the record entry accurate. Typically, this is the head of the department that initiates the processing.

Step 3: Populate the Required Fields

For each processing activity, fill in all mandatory fields listed above. Identify the legal basis (Art. 6), specify data categories precisely, and define retention periods based on legal requirements and business needs.

Step 4: Establish a Review Cycle

Define a regular review cycle (at least annually) and trigger-based reviews when processing activities change. New tools, new vendors, organisational changes, and new business processes should all trigger an update.

Example Processing Activities

The ROPA also serves as the foundation for other GDPR requirements, including the Data Protection Impact Assessment and responses to data subject requests.