Skip to main content
Datenschutz / DSGVO

Record of Processing Activities (ROPA)

The mandatory register of all processing activities that every controller must maintain under Art. 30 GDPR.

The Record of Processing Activities (ROPA) is one of the central instruments of GDPR compliance. Under Art. 30 GDPR, every controller is required to maintain such a record in writing — including in electronic form — and to make it available to the supervisory authority upon request. It forms the documentary backbone of the accountability obligation under Art. 5(2) GDPR.

For each processing activity, the ROPA must contain at minimum: the name and contact details of the controller, the purposes of the processing, a description of the categories of data subjects and personal data, the categories of recipients, any third country transfers and the safeguards applied, the envisaged retention periods, and a general description of the technical and organisational security measures. Processors must maintain their own record covering all processing activities carried out on behalf of controllers.

In practice, the ROPA is far more than a bureaucratic formality. As a compliance officer, it gives you a systematic overview of all data flows within the organisation, helps you identify risks early, and supports your assessment of whether a Data Protection Impact Assessment (DPIA) is required. The exemption for organisations with fewer than 250 employees only applies if the processing carries no risk to data subjects, is not carried out on a regular basis, and does not involve special categories of data — conditions that are rarely met in practice.

Legal Basis

Art. 30 GDPR

Practical Example

A mid-sized manufacturing company is preparing for an inspection by the data protection authority, which requests the ROPA within two weeks. As compliance officer, you discover that the record was last updated 18 months ago and does not yet include the recently introduced HR software or the new CRM system. You update the ROPA immediately, add the missing entries with all mandatory information under Art. 30 GDPR, and ensure that retention periods are defined for every data category. The updated ROPA is submitted to the authority on time.

FAQ

In principle, every controller and every processor. An exemption exists for organisations with fewer than 250 employees, but only if their processing poses no risk to data subjects, is not carried out regularly, and does not involve special categories of data — which is rarely the case in practice.
Under Art. 30 GDPR, the ROPA must include at minimum: the controller's name and contact details, processing purposes, categories of data subjects and personal data, recipients, third country transfers, retention periods, and a description of technical and organisational measures.
The ROPA must always be kept current. Any time new software, service providers, or processing activities are introduced, an update is required. A full annual review is recommended, along with ad hoc updates whenever there are organisational changes.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Personal Data Data Processing Agreement (DPA) Technical and Organisational Measures (TOMs) Data Protection Officer (DPO) Accountability
Back to Glossary