GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)?

Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations to maintain internal records, which contain the information of all personal data processing activities carried out by the organisation. These records help organisations understand what personal data they collect, where it comes from and how that data is being processed.

The records of processing activities (ROPA) must be in concluded in written or electronic form. If necessary, the supervisory authority can use the records to evaluate the accountability requirement of the organisation. For this reason, the record must be made available to the supervisory authority upon request. 

The records of processing activities are not only a formal requirement, but they contain the core of information for managing compliance of the organisation and production of other required documentation like privacy policy, data processing agreements, data retention schedules, etc.

Who needs to document the records of processing activities?

Article 30 GDPR stipulates that all records of processing activities have to be maintained by organisations employing more than 250 employees. Smaller organisations only need to document processing activities that:

  • are not occasional (e.g., are more than just a one-off occurrence or something you do rarely); or
  • are likely to result in a risk to the rights and freedoms of individuals (e.g., something that might be intrusive or adversely affect individuals); or
  • involve special category data or criminal conviction and offence data (as defined by Articles 9 and 10 of the GDPR).

 

What information should be included in the records of processing activities?

If your organisation acts as a data controller, you are required by Article 30 of the GDPR to document at least the following:

  • the name and contact details of the controller and the joint controller(s) (if any);
  • if the organisation has appointed a data protection officer, his name and contact details;
  • purposes of the processing – what you use personal data for (customer support, employment, marketing, product development, sales);
  • categories of data subjects (eg employees, customers, contact persons of vendors);
  • categories of personal data processed (eg personal identification information, contact details, health data);
  • categories of recipients of personal data (eg partners, third parties, authorities, management);
  • where applicable, the list of third countries or international organisations to which the personal data is transferred;
  • in the case of transfers of personal data to a third country, the details of the transfer, including the name of the country and other information on the circumstances of the transfer and the safeguards;
  • where possible, the retention periods for different categories of personal data;
  • a description of the technical and organisational security measures (eg encryption, employee training, restrictions on access to documents and other personal data, anonymisation).

According to Article 30 GDPR, Processors are also required to maintain the records of data processing activities. In this case, the records will include the following information:

  • the names and contact details of the processor, its controller(s) and sub-processors;
  • if the organisation has appointed its own data protection officer, its name and contact details;
  • categories of processing performed on behalf of the controller
  • if personal data is transferred to a third country, the details of the transfer, including the name of the country and other information on the circumstances of the transfer and the safeguards;
  • a description of the technical and organisational security measures (eg encryption, staff training, restrictions on access to documents and other personal data, anonymisation).
Report of Records of Processing Activities

How do I create the records of processing activities?

Records must be stored in electronic form and regularly updated. If the organisation has an obligation to appoint a Data Protection Officer (DPO), the obligation to keep a mapping of the processing activities is the responsibility of the Data Protection Officer. If the organisation does not have a designated DPO, the mapping of the records of the processing activities may also be considered by an employee who has the appropriate qualifications to perform such operation. It’s quite common to use external consultants to perform initial mapping of ROPA and hire a DPO-as-a-Service to cover the rest of ongoing DPO responsibilities.

You could start by mapping information systems and personal data to find out what information your organisation holds and where. It is important that different stakeholders from across your organisation are involved in the process. This helps prevent any type of personal data or processes from being overlooked. It is equally important to involve senior management so that your mapping project is supported and its importance is communicated to all involved stakeholders.

Once you have an overview of the amount of personal data and their locations, you can start compiling the records of processing activities. It’s up to you to decide how to do this – in a spreadsheet or using some modern tools, but we hope the next three steps will help you get easier to the final result.

Compile a questionnaire on data processing activities

You can share the questionnaire between the stakeholders and departments that process personal data. The questions could be:

  • What is personal data used for?
  • Who are the persons for whom personal data are collected?
  • What personal information is held about them?
  • Who is this personal information shared with?
  • For how long is this personal data stored?
  • How is this personal information protected?

Interview the stakeholders

Based on this data, draft the records of processing activities and interview stakeholders to refine the data and get a better understanding of the processes.

Find existing documentation

If some part of required documentation already existed in the company, find it and review the policies, procedures and agreements – this will help to compare the previously concluded documentation with the planned records and identify any inconsistencies with the actual situation.

It is obvious that the ROPA project is not an easy challenge. It will require considerable time resources and cooperation with stakeholders and other involved persons. To simplify this task, we have created a helpful tool – the GDPR Register.

Maintain ROPAs effectively with GDPR Register

GDPR Software Solution by GDPR Register

With GDPR Register you can do followitng:

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
Preparing Your Small Business for GDPR Compliance

Preparing Your Small Business for GDPR Compliance

The General Data Protection Regulation (GDPR) is a European Union law that protects the privacy and personal data of individuals...
The GDPR Data Map – Your Complete Guide

The GDPR Data Map – Your Complete Guide

The General Data Protection Regulation (GDPR) is a European regulation establishing the framework for personal data protection of individuals in...
GDPR in Healthcare: Compliance Guide

GDPR in Healthcare: Compliance Guide

Since General Data Protection Regulation (GDPR) entered into force, the personal data protection has become more challenging to the Healthcare...
GDPR software: 10 Great Tools For Compliance in 2024

GDPR software: 10 Great Tools For Compliance in 2024

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
The lawful basis for Data Processing under the GDPR

The lawful basis for Data Processing under the GDPR

A lawful (or legal) basis for processing data must be satisfied before a business can process any personal data. Article 6...
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)?A Data Processing Agreement (DPA) is a legally binding document to be entered into...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Transmitting personal data to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations. Which...