 states that data controllers and processors must create and maintain records of data processing activities (ROPA).

While most companies processing data from EU citizens must create ROPA, there are a few exceptions. ROPA are not required if a company’s data processing is:

Doesn’t threaten a data subject's freedoms or rights

These exceptions leave a fairly narrow group of organizations who are actually exempt. Most organizations that process personal data are doing so more than occasionally.

And, with no further explanation as to what “not occasional” means—in most cases it’s better to create the ROPA and ensure GDPR compliance.

Name and contact details for the data controller

Documentation on why the data is being processed

Categories of personal data and data subjects

A list of personal data transfers to third countries or international entities

 and the practical application of Article 30.

Article 28

Article 30

Article 32

Article 6 

Article 9

Authorized Agents

California Consumer Privacy Act

California Privacy Protection Agency

California Privacy Rights Act

Colorado Privacy Act

Consent 

Dark Patterns

Data Controller

Data Mapping

Data Processor

Data Subject

Data Subject Access Request

Do Not Track

Do not sell/Do not share 

Facebook Limited Data Use

GDPR Personal Data

GDPR Principles

GDPR Rights

General Data Protection Regulation

Global Privacy Control

Gramm-Leach-Bliley Act

HIPAA

LGDP (Brazil's Privacy Law)

Personally Identifiable Information

Preference Management

Pseudonymization

Record of Processing Activities

Schrems II

Tracking Cookies

Utah Consumer Privacy Act 

Verifiable Consumer Request 

Virginia Consumer Data Protection Act

Data Rights Unwrapped 2024: Transcend Customers Powering the Next Era of Privacy Innovation

Transcend offers data governance solutions that help companies achieve privacy compliance through powerful data mapping and data discovery, automated data subject requests, and simple cookie consent, all with industry leading security.