Record of Processing Activities

Records of processing activities (ROPA) document all data processing and categories of data processing an organization engages in—they're also a requirement of GDPR Article 30.

Article 30 outlines certain ROPA guidelines:

  • Data controllers are responsible for creating and maintaining ROPA, which must include:
    • Name and contact information for the data controller
    • Purpose of data processing
    • Categories of personal data and data subjects being processed
    • Categories of data recipients (if the data has been shared)
    • Whether or not the data has or will be transferred to an “international organization” or “third country”
    • Timeframe for data deletion
    • Information on data security
  • Data processors must maintain ROPA for any processing “carried out on behalf of a controller.”
  • ROPA must be made available in writing and in a digital format
  • ROPA must be provided upon request

ROPA creation is required for any business that employs 250 or more people, whose data processing is “not occasional,” or whose processing may threaten a data subject's rights or freedoms.

Read Transcend's guide to GDPR Article 30.