Legal

Records of Processing

A written record of all processing activities carried out by a data controller or processor — required under GDPR Article 30.

Records of processing activities (ROPA) are detailed inventories of all personal data processing carried out by an organisation. They are a mandatory requirement under the GDPR.

What Must Be Recorded (Controllers)

  • Name and contact details of the controller and DPO
  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • International transfers and safeguards
  • Retention periods
  • Security measures

GDPR Article 30.

Related Terms

Data ControllerPrivacy

The entity that determines the purposes and means of processing personal data.

Data ProcessorPrivacy

An entity that processes personal data on behalf of a data controller.

DPOPrivacy

Data Protection Officer — an independent expert responsible for monitoring an organisation's data protection compliance.

GDPRLegal

The General Data Protection Regulation — the EU's comprehensive data protection law, effective since May 2018.

Right of Access