Record of processing activities

Stine Mangor Tornmark
Written by
Stine Mangor Tornmark
on
November 6, 2022

In this article, we will describe what a record of processing is, why you need to have it, i.e. the purpose for a record of processing, what it should contain and how to create a record of processing.

Record of processing activities RoPA

RoPA or record of processing? 

A record of processing activities is often called RoPA or GDPR ropa. So if you hear people say “Do you have a ropa?”, they are asking for your record of processing.

It is also often referred to as your "article 30” or “article 30 record”.    

So let's jump into what a record of processing is.  

What is a record of processing? 

A record of processing is an overview of your data processing activities. That means that you should have a document that outlines all the data your company has, the legal basis, the purpose for having it etc. 

This is legally required pursuant to the GDPR, cf. article 30 of GDPR.  

It’s important to note that a record of processing is related to personal data. I.e. you shouldn’t list all data that your company has on file. You need - and should - focus on all data that is personal data

Remember that personal data is more than just a name and an email. You can read about what personal data is in this article

GDPR article 30 outlines that you are required to maintain a record of processing activities relating to the data under your responsibilities

It is the controller who is responsible for having the recording of processing in place. The controller means the company or organization in charge of the processing activities and the data. 

So it’s your company’s responsibility to maintain such records and have it on file (and up to date at all times). That’s easier said than done. 

What is the purpose of a record of processing?

The purpose of record of processing activities

The purpose of a record of processing is for each company to have an overview of all personal data that is processed by that company as the data controller

The thought behind the requirement is to ensure that all companies know what data they have, why they have it, what legal basis they have in place to process the data, who the data is shared with etc. 

This means that an article 30 record is putting an obligation on all companies processing data about EU citizens to have such a record / document. 

What’s in a record of processing?  

Overall, a record of processing should be a description of all the data processing activities that are taking place in your company. 

Here is a summary of some of the elements a RoPA should have:   

  • which departments process which types of data
  • what data is processed and about which subjects 
  • the data retention and data deletion periods 
  • transfers of the data outside the EU 
  • the organizational and security measures in place to protect the data 
  • what systems, tools, platforms, cloud services are using to store and process the data 

The list - the record of processing activities   

Your record of processing activities should contain information like the following:  

  • If you aren’t located in the EU, you need to list the contact details of your representative (a company representing you if you offer services to EU citizens).
  • Which department(s) are processing the data - HR, Support, Sales, Marketing etc. 
  • The purposes of the processing, ie. why you are having the data and what is it being used for,
  • The subjects -  this means the categories of people, e.g. employees, customers, users, prospects, applicants etc.
  • The categories – the different types of data you process about the people (subjects), e.g. name, address, email, telephone number, picture, bank account details, health data, title, resume etc.
  • The legal basis - what is your legal right for processing the data, e.g consent, contract, legitimate interest etc. 
  • The categories of recipients of personal data – anyone you share personal data with, e.g. suppliers, credit reference agencies, government departments.
  • If data is sent out of the EU, the third countries which the data is sent to. 
  • If data is sent out of the EU, you also need to describe the safeguards in place for the transfer i.e. SCCs, consent, secure third country etc. 
  • Data retention and data deletion - how long you will keep the data for and when it is deleted.

Record of processing template

Data protection authorities around Europe have good templates and guides for a record of processing activities. 

The Danish Data Protection Agency has issued guidelines regarding how to draft a record of processing. Check out the guidelines (in Danish).

CNIL, the French Data Protection Agency also has guidance and they have also created a template for record of processing activities. You can find here: https://www.cnil.fr/en/record-processing-activities

The ICO, in the UK, also has good articles on how to document the record of processing activities. Read the ICO article, where you can also find ICO’s template for a record of processing activities. 

Tool for recording of processing 

If you would like a tool or software to help you with the record of processing, you are welcome to contact us. 

We’ll be happy to show you how we can automate the majority of all the work related to creating and maintaining a record of processing activities. 

Contact Openli Book Demo

Join our in-house legal & privacy community

Join one of the fastest growing legal communities in Europe. Learn, share, connect and meet inspiring legal professionals, leaders and experts all for free.
Openli community
Apply to join

Privacy Newsletter

Sign up for a regular dose of news and updates from the legal landscape.