ROPA – Requirements and Exemptions

The obligation to create and maintain Records of Processing Activities [ROPA] applies to the majority of controllers and processors, and – for non-EU companies – their EU Representatives. The legal provisions on the register of processing activities are regulated in Article 30 of the GDPR.

A widespread misconception concerning ROPAs is that this duty applies to large companies only. While according to Article 30 of the GDPR companies with more than 250 employees must indeed always keep a ROPA, those with fewer than 250 employees are exempt from holding a record, if one of these factors apply:

• The processing is not likely to pose a risk to the rights and freedom of the data subject.
  Companies can assess a likely risk for data subjects by taking into account the nature, scope, context and purposes for processing, as well as the varying likelihood and severity of risks. Examples include geolocation systems and video surveillance.
• If no special categories of data are processed.
  Special categories of data include, for instance, data concerning criminal records, religious affiliations as well as health data of employees. Most companies will process sick certificates, and other information of employees falling under this category.
• If the processing is done only occasionally.
  Data processing can be occasional if it plays a subordinate role in the activity and only occurs for a very short time or once. An example would be a company informing clients of a change of address in case of relocation. On the contrary, daily activities of companies like customer management or salary management are not occasional.

In practice, this exemption is rarely applicable; most companies, regardless of whether or not they engage more than 250 employees, will be required to keep a ROPA. As in almost every organisation, some processing takes place on a structural basis. Also, it is not unlikely for companies to process special categories of data, especially in the context of human resources.

Why a ROPA?

For reasons of accountability and transparency, controllers must ensure a structured data protection documentation. It not only ensures transparency of data processing but also enables the data protection officer (DPO), EU representative and supervisory authorities to perform their duties well. In a nutshell, ROPA demonstrates whether a company is GDPR compliant, pursuant to Art. 5 (2) GDPR. Furthermore, a ROPA is crucial for the preparation of data protection impact assessments (DPIA). By maintaining a processing directory, your company not only achieves transparency regarding the processing of personal data but is also legally protected in the event of an audit by the data protection supervisory authorities.

While the building of a complete list of processing activities is often a complicated and time-consuming task for companies, the creation and maintenance of a ROPA can prove to be beneficial for several reasons. It facilitates a prompt and accurate response to potential data subject requests when the information is readily available while establishing an efficient data erasure schedule to avoid a bulk of unnecessary personal data. It allows a company to identify future possible risks and take steps to mitigate them.

What is a ROPA?

By definition, a ROPA is a record of an organisation’s processing activities involving personal data. Pursuant to Art. 30 (3) GDPR, it must be in written or electronic text form.

“Processing” is any activity performed on personal data (collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction). Thus, not only the active collection of data but also the mere storage of data on a server is considered processing. In practice, each business process will be a separate processing activity.

As stipulated in Article 30 of the GDPR:

1.Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: (a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer; 

(b) the purposes of the processing; 

(c) a description of the categories of data subjects and of the categories of personal data; 

(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; 

(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; 

(f) where possible, the envisaged time limits for erasure of the different categories of data; 

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1). 

2.Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing: 

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer; 

(b) the categories of processing carried out on behalf of each controller; 

(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; 

(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Creating and maintaining a ROPA

As a controller or processor, companies are responsible for creating and maintaining a ROPA and to keep an overview of all processing activities they operate.

If you are not an EU company and need to appoint an EU representative, the EU Representative will help you with regard to their obligations under the GDPR. The EU representative acts as a middleman with supervisory authorities and data subjects, while the company outside the EU plays an active role in creating and maintaining records of processing activities and making these records available to the supervisory authorities upon request.

1. Identify processes

Firstly, all details must be determined and gathered by conducting an audit to help clarify what kind of personal data is processed. To do so, it is useful to meet directly with key departments (such as HR, Marketing, Customer Support, etc.) of your company to better understand how they use data and to document the required details. Other departments will hold some necessary and specific information about processing activities, e.g., IT holds information about the technical security measures, while the legal department keeps track of data-sharing arrangements.

Secondly, other relevant information can be found in your existing GDPR documentation.

You should be able to answer these questions about each personal data processing activity:

1. How do you process personal data? 
2. Why do you use personal data?
3. Who do you hold information about?
4. What information do you hold about them?
5. Who do you share it with? Do you use any external contractors? Are any of them outside the EU?
6. For how long do you store it?
7. How do you keep it safe?

2. Document processing activities

The documentation of your processing activities must be in writing, in paper or electronic form. Due to the obligation to maintain a ROPA, meaning to add, remove and amend it as necessary, electronic form is suggested. Moreover, documentation shall be done in a granular and logical way, as you may have separate erasure periods for different categories of data.

3. Update regularly

The record must be updated regularly, according to the functional and practical evolving of data processing. In practice, any change brought to the conditions of processing implementation for each processing subscribed to the record (new data collected, length of the preservation time, new processing recipient, etc.) must be added to the record.

In conclusion, the ROPA is a real control tool of compliance to the GDPR.