Records of Processing Activities (ROPA)

ROPA is one of the most checked items during regulatory audits. Supervisory authorities routinely request it as the first step in any investigation. Without ROPA, you cannot demonstrate that you know what personal data you process, why, or how — making it impossible to prove compliance with any other GDPR requirement. It's also the foundation for responding to data subject requests, conducting DPIAs, and managing breaches.

Almost everyone. Article 30(5) exempts organizations with fewer than 250 employees, unless:

• Processing is likely to result in a risk to data subjects
• Processing is not occasional
• Processing includes special category data or criminal conviction data

In practice, nearly every organization that processes personal data regularly must maintain ROPA — the exceptions are extremely narrow.

For each processing activity, document:

• Name and contact details of the controller (and DPO, if appointed)
• Purposes of processing — why you process this data
• Categories of data subjects — employees, customers, website visitors, etc.
• Categories of personal data — names, emails, financial data, health data, etc.
• Recipients — who receives the data (internal departments, processors, third countries)
• International transfers — transfers outside the EEA, safeguards used (SCCs, adequacy)
• Retention periods — how long you keep each category of data
• Security measures — general description of technical and organizational measures

Processors have a lighter but still mandatory requirement:

• Name and contact details of processor(s) and each controller
• Categories of processing carried out on behalf of each controller
• International transfers and safeguards
• General description of security measures

Step 1: Data Mapping

Interview each department to identify:

• What personal data do you collect?
• Why do you collect it?
• Where does it come from?
• Who do you share it with?
• How long do you keep it?
• How do you protect it?

Step 2: Document

Record findings in a structured format — spreadsheet, compliance tool, or dedicated software. One row per processing activity.

Step 3: Review and Update

ROPA is a living document:

• Update when new processing activities start
• Review when existing processes change
• Audit annually at minimum
• DPO should oversee maintenance

• Too high-level — "we process customer data" is insufficient; specify the activities
• Not updated — ROPA from 2018 that hasn't been touched since
• Missing processors — forgetting to include cloud providers, SaaS tools, external services
• No retention periods — "as long as necessary" is not a valid retention period
• Departmental silos — IT knows about some processing, HR about others, marketing about others — no central view

• GDPR Article 30 — records of processing activities
• EDPB position on ROPA — guidance on scope and content
• National DPA templates — many authorities provide ROPA templates (ICO, CNIL, AZOP)