Records of Processing Activities (RoPA)

Article 30 GDPR Compliance Template

Organization Information

Organization Name: [Insert Organization Name]
Data Protection Officer (DPO): [Name and Contact Details]
Last Updated: [Date]
Review Date: [Date]

Processing Activity Record #1: [Activity Name]

1. Data Controller Information

Controller Name: [Organization Name]
Contact Person: [Name, Title, Email, Phone]
Address: [Full Address]
DPO Contact: [If applicable]

2. Joint Controllers (if applicable)

Joint Controller Name: [Name]
Contact Details: [Contact Information]
Agreement Reference: [Reference to joint controller agreement]

3. Data Processor Information (if applicable)

Processor Name: [Third-party processor name]
Contact Details: [Contact information]
Processing Agreement: [Reference to data processing agreement]
Location: [Country/Region where processing occurs]

4. Purpose of Processing

Primary Purpose: [Detailed description of why data is processed]
Secondary Purposes: [Any additional purposes]
Business Function: [Which department/function requires this processing]

5. Legal Basis for Processing

Legal Basis (Article 6 GDPR):

• Consent (6.1.a)

• Contract (6.1.b)

• Legal obligation (6.1.c)

• Vital interests (6.1.d)

• Public task (6.1.e)

• Legitimate interests (6.1.f)

Specific Legal Basis Description: [Detailed explanation]

Special Category Data Legal Basis (Article 9 GDPR - if applicable):

• Explicit consent (9.2.a)

• Employment law (9.2.b)

• Vital interests (9.2.c)

• Public interest (9.2.g)

• Health/medicine (9.2.h)

• Other: [Specify]

6. Categories of Personal Data

Standard Personal Data:

• Name and contact details

• Identification numbers

• Financial information

• Employment details

• Location data

• Online identifiers

• Other: [Specify]

Special Category Data (if applicable):

• Health data

• Biometric data

• Genetic data

• Religious/philosophical beliefs

• Political opinions

• Trade union membership

• Sexual orientation/life

• Criminal convictions

• Other: [Specify]

7. Categories of Data Subjects

• Employees

• Customers

• Suppliers

• Website visitors

• Patients

• Students

• Other: [Specify]

Estimated Number of Data Subjects: [Number range]

8. Data Sources

Direct Collection:

• Data subject directly

• Website forms

• Applications

• Surveys

• Other: [Specify]

Indirect Collection:

• Third parties

• Public sources

• Other organizations

• Data brokers

• Other: [Specify]

9. Data Storage and Location

Primary Storage Location: [Country/Region]
Storage System: [Database, cloud service, filing system, etc.]
Backup Locations: [List all backup locations]
Cloud Services Used: [Name providers and locations]

10. Data Recipients and Transfers

Internal Recipients:

• HR Department

• IT Department

• Legal Team

• Management

• Other: [Specify]

External Recipients:

• Service providers

• Legal advisors

• Regulators

• Other: [Specify]

International Transfers:
Transfer Mechanism:

• Adequacy decision

• Standard contractual clauses

• Binding corporate rules

• Certification scheme

• Other: [Specify]

Destination Countries: [List countries]
Safeguards Applied: [Detail safeguards]

11. Data Retention

Retention Period: [Specific timeframe]
Retention Criteria: [How retention period is determined]
Disposal Method: [How data is securely deleted/destroyed]
Legal/Regulatory Requirements: [Relevant laws requiring retention]

12. Security Measures

Technical Measures:

• Encryption at rest

• Encryption in transit

• Access controls

• Audit logging

• Backup systems

• Other: [Specify]

Organizational Measures:

• Staff training

• Access policies

• Incident response plan

• Regular security reviews

• Other: [Specify]

13. Data Subject Rights

How data subjects can exercise their rights:
Contact Method: [Email, phone, postal address]
Response Timeframe: [Usually 30 days]
Verification Process: [How identity is verified]

Rights Supported:

• Access (Article 15)

• Rectification (Article 16)

• Erasure (Article 17)

• Restrict processing (Article 18)

• Data portability (Article 20)

• Object to processing (Article 21)

• Withdraw consent (if applicable)

14. Risk Assessment

Risk Level: [Low/Medium/High]
Key Risks Identified:

• Risk 1: [Description and mitigation]

• Risk 2: [Description and mitigation]

• Risk 3: [Description and mitigation]

Data Protection Impact Assessment (DPIA):

• Required

• Not required

• Completed [Date]

15. Compliance Monitoring

Last Review Date: [Date]
Next Review Date: [Date]
Responsible Person: [Name and title]
Compliance Status: [Compliant/Issues identified/Under review]

Processing Activity Record #2: [Next Activity Name]

[Repeat the above structure for each processing activity]

Template Instructions

Completion Guidelines

1. Complete one record for each distinct processing activity - don't group unrelated activities together

2. Be specific and detailed - vague descriptions won't meet compliance requirements

3. Update regularly - RoPA must be current and accurate

4. Include all processing - both automated and manual processing activities

5. Consider the entire data lifecycle - from collection to disposal

When to Create Separate Records

• Different legal bases for processing

• Different categories of data subjects

• Different purposes

• Different retention periods

• Different security requirements

• Different international transfers

Review and Maintenance

• Monthly: Check for new processing activities

• Quarterly: Review existing records for accuracy

• Annually: Comprehensive review of all records

• When changes occur: Update immediately for significant changes

Common Mistakes to Avoid

• Grouping unrelated activities together

• Using vague language like "various purposes"

• Failing to identify all data recipients

• Not documenting international transfers

• Incomplete security measure descriptions

• Missing retention period justifications

Legal Requirements Summary

Article 30 GDPR requires organizations to maintain records that include:

• Names and contact details of controller, representatives, and DPO

• Purposes of processing

• Categories of data subjects and personal data

• Recipients of personal data

• International transfers and safeguards

• Retention periods

• Security measures (general description)

Note: This template should be adapted to your specific organization and reviewed by legal counsel familiar with GDPR compliance requirements.