Under GDPR, keeping clear Records of Processing Activities (ROPA) is required for most businesses. Many companies wrongly assume this only applies to large organizations. This article explains who needs an ROPA, what to include, and why regular updates are important.
• Almost All Companies Must Maintain a ROPA: Most companies, regardless of size, need a ROPA, as exemptions rarely apply due to the regular processing of personal or special categories of data.
• ROPA Ensures GDPR Compliance and Transparency: A detailed ROPA helps organizations demonstrate compliance, facilitates transparency, and provides essential support during audits and data protection impact assessments (DPIAs).
• Regular Updates are Crucial: A ROPA must be continuously updated to reflect changes in data processing activities, ensuring accuracy, effective risk management, prompt responses to the data subject and supervisory authority inquiries.
The obligation to create and maintain Records of Processing Activities [ROPA] applies to the majority of controllers and processors, and – for non-EU companies – their EU Representatives. The legal provisions on the register of processing activities are regulated in Article 30 of the GDPR.
A widespread misconception concerning ROPAs is that this duty applies to large companies only. While according to Article 30 of the GDPR, companies with more than 250 employees must indeed always keep a ROPA, those with fewer than 250 employees are exempt from holding a record if one of these factors apply:
• The processing is not likely to pose a risk to the rights and freedom of the data subject.
Companies can assess a likely risk for data subjects by considering the nature, scope, context, and purposes for processing, as well as the varying likelihood and severity of risks. Examples include geolocation systems and video surveillance.
• If no special categories of data are processed.
Special categories of data include, for instance, data concerning criminal records, religious affiliations, and health data of employees. Most companies will process sick certificates, and other information of employees falling under this category.
• If the processing is done only occasionally.
Data processing can be occasional if it plays a subordinate role in the activity and only occurs for a very short time or once. An example would be a company informing clients of a change of address in case of relocation. On the contrary, the daily activities of companies, like customer management or salary management, are not occasional.
In practice, this exemption is rarely applicable; most companies, regardless of whether or not they engage more than 250 employees, will be required to keep a ROPA. As in almost every organisation, some processing takes place on a structural basis. Also, it is not unlikely for companies to process special categories of data, especially in the context of human resources.
For reasons of accountability and transparency, controllers must ensure structured data protection documentation. It not only ensures transparency of data processing but also enables the data protection officer (DPO), EU representative and supervisory authorities to perform their duties well. In a nutshell, ROPA demonstrates whether a company is GDPR compliant, pursuant to Art. 5 (2) GDPR. Furthermore, a ROPA is crucial for the preparation of data protection impact assessments (DPIA). By maintaining a processing directory, your company not only achieves transparency regarding the processing of personal data but is also legally protected in the event of an audit by the data protection supervisory authorities.
While building a complete list of processing activities is often a complicated and time-consuming task for companies, creating and maintaining an ROPA can prove beneficial for several reasons. It facilitates a prompt and accurate response to potential data subject requests when the information is readily available while establishing an efficient data erasure schedule to avoid a bulk of unnecessary personal data. It allows a company to identify future possible risks and take steps to mitigate them.
By definition, a ROPA is a record of an organisation’s processing activities involving personal data. Pursuant to Art. 30 (3) GDPR, it must be in written or electronic text form.
“Processing” is any activity performed on personal data (collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction). Thus, not only the active collection of data but also the mere storage of data on a server is considered processing. In practice, each business process will be a separate processing activity.
1. Each controller and, where applicable, the controller’s representative shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: (a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
(f) where possible, the envisaged time limits for erasure of the different categories of data;
(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
2. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
(b) the categories of processing carried out on behalf of each controller;
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
As controllers or processors, companies are responsible for creating and maintaining ROPA and for keeping an overview of all processing activities they operate.
If you are not an EU company and need to appoint an EU representative, the EU Representative will help you with regard to their obligations under the GDPR. The EU representative acts as a middleman between supervisory authorities and data subjects. At the same time, the company outside the EU plays an active role in creating and maintaining records of processing activities and making these records available to the supervisory authorities upon request.
Firstly, all details must be determined and gathered by conducting an audit to help clarify what kind of personal data is processed. To do so, it is useful to meet directly with key departments (such as HR, Marketing, Customer Support, etc.) of your company to understand better how they use data and to document the required details. Other departments will hold some necessary and specific information about processing activities, e.g., IT holds information about the technical security measures. In contrast, the legal department keeps track of data-sharing arrangements.
Secondly, other relevant information can be found in your existing GDPR documentation.
You should be able to answer these questions about each personal data processing activity:
The documentation of your processing activities must be in writing, in paper or electronic form. Due to the obligation to maintain a ROPA, meaning to add, remove and amend it as necessary, an electronic form is suggested. Moreover, documentation shall be done in a granular and logical way, as you may have separate erasure periods for different categories of data.
The record must be updated regularly, according to the functional and practical evolving of data processing. In practice, any change brought to the conditions of processing implementation for each processing subscribed to the record (new data collected, length of the preservation time, new processing recipient, etc.) must be added to the record.
Businesses often underestimate the importance of maintaining accurate ROPA records. One frequent mistake is assuming the obligation applies exclusively to large enterprises, causing smaller firms to overlook their responsibilities. Companies also tend to document activities too vaguely or incompletely, skipping details on data categories, recipients, or storage durations.
Another oversight is neglecting regular updates, leading to outdated or incorrect records. To prevent compliance risks, ensure your ROPA clearly reflects all data processing and remains up to date with any changes in business activities.
In conclusion, the ROPA is a real control tool of compliance to the GDPR. An accurate and updated ROPA is not just a legal requirement; it’s a good practice every business should follow if it handles personal data. Clear data records help businesses stay transparent while protecting their customer information and easily handling audits or data requests.
With regular reviews and updates of ROPA, companies reduce compliance risks and commit to responsible data management.