GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)?

Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations to maintain internal records, which contain the information of all personal data processing activities carried out by the organisation. These records help organisations understand what personal data they collect, where it comes from and how that data is being processed.

The records of processing activities (ROPA) must be in concluded in written or electronic form. If necessary, the supervisory authority can use the records to evaluate the accountability requirement of the organisation. For this reason, the record must be made available to the supervisory authority upon request. 

The records of processing activities are not only a formal requirement, but they contain the core of information for managing compliance of the organisation and production of other required documentation like privacy policy, data processing agreements, data retention schedules, etc.

Who needs to document the records of processing activities?

Article 30 GDPR stipulates that all records of processing activities have to be maintained by organisations employing more than 250 employees. Smaller organisations only need to document processing activities that:

  • are not occasional (e.g., are more than just a one-off occurrence or something you do rarely); or
  • are likely to result in a risk to the rights and freedoms of individuals (e.g., something that might be intrusive or adversely affect individuals); or
  • involve special category data or criminal conviction and offence data (as defined by Articles 9 and 10 of the GDPR).

 

What information should be included in the records of processing activities?

If your organisation acts as a data controller, you are required by Article 30 of the GDPR to document at least the following:

  • the name and contact details of the controller and the joint controller(s) (if any);
  • if the organisation has appointed a data protection officer, his name and contact details;
  • purposes of the processing – what you use personal data for (customer support, employment, marketing, product development, sales);
  • categories of data subjects (eg employees, customers, contact persons of vendors);
  • categories of personal data processed (eg personal identification information, contact details, health data);
  • categories of recipients of personal data (eg partners, third parties, authorities, management);
  • where applicable, the list of third countries or international organisations to which the personal data is transferred;
  • in the case of transfers of personal data to a third country, the details of the transfer, including the name of the country and other information on the circumstances of the transfer and the safeguards;
  • where possible, the retention periods for different categories of personal data;
  • a description of the technical and organisational security measures (eg encryption, employee training, restrictions on access to documents and other personal data, anonymisation).

According to Article 30 GDPR, Processors are also required to maintain the records of data processing activities. In this case, the records will include the following information:

  • the names and contact details of the processor, its controller(s) and sub-processors;
  • if the organisation has appointed its own data protection officer, its name and contact details;
  • categories of processing performed on behalf of the controller
  • if personal data is transferred to a third country, the details of the transfer, including the name of the country and other information on the circumstances of the transfer and the safeguards;
  • a description of the technical and organisational security measures (eg encryption, staff training, restrictions on access to documents and other personal data, anonymisation).
Report of Records of Processing Activities

How do I create the records of processing activities?

Records must be stored in electronic form and regularly updated. If the organisation has an obligation to appoint a Data Protection Officer (DPO), the obligation to keep a mapping of the processing activities is the responsibility of the Data Protection Officer. If the organisation does not have a designated DPO, the mapping of the records of the processing activities may also be considered by an employee who has the appropriate qualifications to perform such operation. It’s quite common to use external consultants to perform initial mapping of ROPA and hire a DPO-as-a-Service to cover the rest of ongoing DPO responsibilities.

You could start by mapping information systems and personal data to find out what information your organisation holds and where. It is important that different stakeholders from across your organisation are involved in the process. This helps prevent any type of personal data or processes from being overlooked. It is equally important to involve senior management so that your mapping project is supported and its importance is communicated to all involved stakeholders.

Once you have an overview of the amount of personal data and their locations, you can start compiling the records of processing activities. It’s up to you to decide how to do this – in a spreadsheet or using some modern tools, but we hope the next three steps will help you get easier to the final result.

Compile a questionnaire on data processing activities

You can share the questionnaire between the stakeholders and departments that process personal data. The questions could be:

  • What is personal data used for?
  • Who are the persons for whom personal data are collected?
  • What personal information is held about them?
  • Who is this personal information shared with?
  • For how long is this personal data stored?
  • How is this personal information protected?

Interview the stakeholders

Based on this data, draft the records of processing activities and interview stakeholders to refine the data and get a better understanding of the processes.

Find existing documentation

If some part of required documentation already existed in the company, find it and review the policies, procedures and agreements – this will help to compare the previously concluded documentation with the planned records and identify any inconsistencies with the actual situation.

It is obvious that the ROPA project is not an easy challenge. It will require considerable time resources and cooperation with stakeholders and other involved persons. To simplify this task, we have created a helpful tool – the GDPR Register.

Maintain ROPAs effectively with GDPR Register

GDPR Register Dashboard

With GDPR Register you can do followitng:

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations...
10 Great GDPR Compliance Software Tools in 2022 (Review + Pricing)

10 Great GDPR Compliance Software Tools in 2022 (Review + Pricing)

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a DPA? A Data Processing Agreement (DPA) is a legally binding document to be entered into between the controller...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for data controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...