What Is a ROPA
A Record of Processing Activities is a comprehensive register that documents every way your organization processes personal data. It must include:- The name and contact details of the controller (your organization)
- The purposes of each processing activity
- The categories of data subjects and personal data
- The categories of recipients
- International data transfers (if applicable)
- Retention periods for each category of data
- A description of technical and organizational security measures
ROPA maintenance is mandatory for organizations with 250 or more employees, or for any organization that processes data that is likely to result in risk to the rights of data subjects, involves special categories of data, or relates to criminal convictions. In practice, most organizations pursuing GDPR compliance should maintain a ROPA.
Creating a Processing Activity Record
Required Fields
Each ROPA entry requires the following information:| Field | Description | Example |
|---|---|---|
| Processing activity name | A clear name for this processing activity | ”Employee payroll processing” |
| Purpose | Why this data is being processed | ”Calculating and disbursing employee salaries” |
| Legal basis | The GDPR legal basis for processing (Article 6) | Contractual necessity, Legitimate interest, Consent |
| Data subjects | Categories of individuals whose data is processed | Employees, Customers, Website visitors |
| Data categories | Types of personal data processed | Name, email, salary, bank details |
| Special category data | Whether sensitive data is involved (Article 9) | Health data, biometric data, racial/ethnic origin |
| Recipients | Who receives or has access to the data | Payroll provider, tax authority, internal HR team |
| International transfers | Whether data is transferred outside the EEA | Transfer to US-based processor with SCCs |
| Retention period | How long data is kept | 7 years after employment ends (tax requirement) |
| Security measures | Technical and organizational protections | Encryption, access controls, audit logging |
Legal Bases
GDPR recognizes six legal bases for processing personal data. Select the applicable basis for each processing activity:Consent (Article 6(1)(a))
Consent (Article 6(1)(a))
The data subject has given clear consent for processing their personal data for a specific purpose. Consent must be freely given, specific, informed, and unambiguous.
Contractual Necessity (Article 6(1)(b))
Contractual Necessity (Article 6(1)(b))
Processing is necessary for the performance of a contract with the data subject or to take steps at their request before entering into a contract.
Legal Obligation (Article 6(1)(c))
Legal Obligation (Article 6(1)(c))
Processing is necessary to comply with a legal obligation to which the controller is subject (e.g., tax reporting, employment law).
Vital Interests (Article 6(1)(d))
Vital Interests (Article 6(1)(d))
Processing is necessary to protect the vital interests of the data subject or another person. This basis is rarely applicable in business contexts.
Public Task (Article 6(1)(e))
Public Task (Article 6(1)(e))
Processing is necessary for a task carried out in the public interest or in the exercise of official authority. Primarily applies to public sector organizations.
Legitimate Interest (Article 6(1)(f))
Legitimate Interest (Article 6(1)(f))
Processing is necessary for the legitimate interests of the controller or a third party, unless overridden by the data subject’s rights. Requires a Legitimate Interest Assessment (LIA).
Managing Your ROPA
Reviewing Records
Review your ROPA entries periodically (recommended: quarterly) to ensure they remain accurate. Key triggers for review:- New products or services that process personal data
- Changes to data processing vendors or subprocessors
- Changes to retention policies
- New international data transfers
- Organizational restructuring
Editing Records
Click on any ROPA entry to view and edit its details. All changes are versioned, so you can see the history of modifications for audit purposes.Exporting the ROPA
Export your complete ROPA as a PDF or spreadsheet for:- Supervisory authority requests
- Audit evidence packages
- Internal governance reporting
- DPO review and sign-off
ROPA as Compliance Evidence
Your ROPA serves as direct evidence for several GDPR controls:| GDPR Article | Requirement |
|---|---|
| Article 30 | Maintain records of processing activities |
| Article 5(1)(b) | Purpose limitation — documented purposes justify processing |
| Article 5(1)(e) | Storage limitation — retention periods are defined |
| Article 13-14 | Information to data subjects — ROPA supports privacy notice content |
| Article 35 | DPIA trigger identification — ROPA helps identify high-risk processing |