Records of Processing Activities (ROPA)
Also known as: ROPA, Record of Processing, Article 30 record
A Record of Processing Activities is the written inventory of personal data processing operations required by Article 30 of the GDPR. Controllers and processors must maintain one, make it available to the supervisory authority on request, and keep it current.
What goes in a ROPA
For each processing activity: the purposes of processing, the categories of data subjects and personal data, the categories of recipients (including third-country recipients), retention periods where possible, and a general description of the technical and organisational security measures.
A controller’s ROPA also includes its name and contact details, the data protection officer’s contact details where one is appointed, and a record of any transfers outside the EEA together with the legal basis for those transfers.
When the ROPA obligation actually applies
Article 30 has a small-organisation exemption (fewer than 250 employees). The exemption is almost always overridden, because it does not apply if the processing is likely to result in a risk to data subjects, is not occasional, or includes special categories of data. Almost every commercial organisation that processes personal data needs a ROPA.
Format and update cadence
Article 30 does not prescribe a format. A spreadsheet, a database, or a dedicated tool all satisfy the requirement. What matters is completeness, currency, and the ability to produce the record on request from the supervisory authority. Supervisory authorities have published optional templates, including the CNIL and the ICO; many controllers use these as a starting point.
A ROPA is a living document. Update it when a processing activity changes, when a new sub-processor is added, when retention periods change, and at least annually as part of the data protection programme review.