Record of Processing Activities (ROPA) — How to Maintain One in Compliance With the GDPR
The Record of Processing Activities (ROPA) is one of the fundamental documents required by the GDPR. It is an internal inventory of all personal data processing activities within the organisation — a “data map” that shows what data is processed, for what purpose, on what legal basis, to whom it is disclosed, and how long it is retained.
The ROPA is typically the first document UODO requests during an audit. Its absence or incompleteness is one of the most frequently identified violations — and at the same time one of the easiest to remedy. This article explains who must maintain a ROPA, what it should contain, and how to prepare one in practice.
Legal Basis — Article 30 GDPR
The obligation to maintain a Record of Processing Activities arises from Article 30 of the GDPR. This provision distinguishes two types of records:
Article 30(1) — a record of processing activities maintained by the data controller. It documents all processing activities in which the organisation acts as a controller (independently determines the purposes and means of processing).
Article 30(2) — a record of categories of processing activities maintained by the data processor. It documents processing activities carried out on behalf of controllers.
If your organisation is both a controller (processes data of its own clients and employees) and a processor (processes data on behalf of other companies), you must maintain both records.
Who Must Maintain a ROPA?
As a general rule — every controller and every processor. Article 30(5) GDPR provides an exemption for organisations with fewer than 250 employees, but this exemption is so narrow that in practice it applies to very few companies.
An organisation with fewer than 250 employees must maintain a ROPA if the processing is likely to result in a risk to the rights and freedoms of data subjects (and such a risk exists in virtually all cases), the processing is not occasional (and regular processing of customer, employee, or contractor data is not occasional), or the organisation processes special categories of data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR).
In practice, this means that every company that has even one employee or processes customer data should maintain a ROPA. The Article 30(5) exemption is illusory.
UODO has expressly confirmed this position, recommending that all controllers and processors maintain a ROPA, regardless of organisational size.
What Must the Controller’s ROPA Contain — Article 30(1) GDPR
The controller’s record must include the following information for each processing activity:
1. Name and contact details of the controller — as well as of any joint controller (if applicable) and representative (if applicable). Example: “Law Office of Dr Joanna Maniszewska-Ejsmont, ul. Kościuszki 10 lok. 1, 05-500 Piaseczno, Poland.”
2. DPO contact details — if one has been designated. Example: “iod@maniszewska.pl.”
3. Purposes of processing — specific and precise. “Business purposes” is not sufficient — each purpose must be stated separately. Examples: “performance of a legal services agreement,” “accounting and tax settlements,” “direct marketing of own services,” “employee recruitment.”
4. Description of categories of data subjects — whose data you process. Examples: “clients,” “employees,” “job candidates,” “contractors (contact persons),” “website users.”
5. Description of categories of personal data — what data you process. Examples: “identification data (name, surname, national ID number),” “contact data (address, email, phone),” “financial data (bank account number, salary),” “health data (medical certificates).”
6. Categories of recipients — to whom data is or will be disclosed. Examples: “accounting firm (processor),” “hosting provider (processor),” “social insurance institution (controller),” “tax authority (controller),” “courts (controller).”
7. Information about transfers to third countries — whether data is transferred outside the EEA, to which country, and on what basis (adequacy decision, SCCs, BCRs). If there are no transfers, state “no transfers to third countries.”
8. Planned data deletion deadlines — where possible. Specific retention periods for each processing purpose. Examples: “personnel files — 10 years from the end of the employment relationship,” “client data — 5 years from the end of the contract (limitation of claims),” “recruitment data — 3 months from the end of the recruitment process (or 12 months with the candidate’s consent).”
9. General description of technical and organisational security measures — where possible. A description of data protection measures. Examples: “disk and data transmission encryption,” “role-based access control,” “regular backups,” “staff data protection training.”
What Must the Processor’s Record Contain — Article 30(2) GDPR
If your organisation processes data on behalf of other controllers (acts as a processor), you must maintain a separate record containing:
The name and contact details of the processor and each controller on whose behalf it acts.
DPO contact details (if designated).
Categories of processing carried out on behalf of each controller — e.g., “data storage on server,” “bookkeeping,” “CRM system operation.”
Information about transfers to third countries.
A general description of technical and organisational security measures.
Format of the ROPA — How to Maintain It
The GDPR requires the ROPA to be maintained in writing, including in electronic form (Article 30(3)). In practice, the most commonly used formats are:
Spreadsheet (Excel/Google Sheets) — the simplest and most commonly used solution. Each row represents one processing activity, and columns correspond to the required elements from Article 30. Advantages: easy to edit, filter, and sort. Disadvantages: no version control, risk of accidental edits.
Dedicated software — tools such as OneTrust, Securiti, DataGrail, Piwik PRO. Advantages: automation, version control, integration with other GDPR processes. Disadvantages: cost, learning curve.
Text document (Word) — permissible but impractical for a larger number of processing activities.
For most small and medium-sized companies, a spreadsheet is the optimal solution.
How to Build a ROPA Step by Step
Step 1: Process Inventory
Review all departments and processes in the organisation and identify where personal data is processed. Typical sources of processing activities:
HR — recruitment, employment, personnel files, training, benefits, monitoring. Sales — customer service, contracts, invoices, CRM. Marketing — newsletter, email campaigns, social media, cookies. IT — IT systems, hosting, backups, logs. Finance — accounting, settlements, taxes. Administration — correspondence, CCTV, access control. Website — contact forms, cookies, analytics.
Step 2: Describe Each Process
For each identified process, complete all required fields from Article 30(1). Be specific — avoid generalities.
Step 3: Determine Retention Periods
For each process, establish how long data will be stored. Retention periods arise from legislation (e.g., Labour Code, tax law), contracts (e.g., limitation period for claims), or controller decisions (e.g., marketing data — until consent is withdrawn).
Step 4: Identify Recipients and Transfers
For each process, check to whom data is disclosed (internally and externally) and whether transfers outside the EEA occur (cloud services, analytics tools, marketing platforms).
Step 5: Describe Security Measures
For each process (or collectively for the entire organisation), describe the technical and organisational measures in place.
Step 6: Review and Update
The ROPA is a living document — it must be updated whenever processing activities change: a new purpose, a new system, a new processor, a change in data scope, or a change in retention period. Best practice is to review the ROPA at least once per quarter.
Sample ROPA Entries
Process 1: Client service — legal services
| Element | Description |
|---|---|
| Processing purpose | Provision of legal services, management of client cases |
| Legal basis | Article 6(1)(b) GDPR (contract performance) |
| Categories of data subjects | Clients (natural persons) |
| Categories of data | Name, surname, address, national ID, contact details, case-related data |
| Recipients | Courts, administrative authorities, accounting firm (processor) |
| Transfer outside EEA | None |
| Retention period | 10 years from the end of the case (limitation of claims) |
| Security measures | Encryption, access control, locked cabinet for paper files |
Process 2: Website — contact form
| Element | Description |
|---|---|
| Processing purpose | Handling enquiries from the contact form |
| Legal basis | Article 6(1)(f) GDPR (legitimate interest — responding to the enquiry) |
| Categories of data subjects | Website users |
| Categories of data | First name, email address, message content |
| Recipients | Hosting provider (processor) |
| Transfer outside EEA | None (hosting in Poland/EU) |
| Retention period | 12 months from receipt of the enquiry |
| Security measures | SSL/TLS, server encryption, backups |
Process 3: Marketing — newsletter
| Element | Description |
|---|---|
| Processing purpose | Sending a newsletter with legal information |
| Legal basis | Article 6(1)(a) GDPR (consent) |
| Categories of data subjects | Newsletter subscribers |
| Categories of data | Email address |
| Recipients | Email platform provider (processor) |
| Transfer outside EEA | Yes — USA (DPF + SCCs) |
| Retention period | Until consent is withdrawn |
| Security measures | Transmission encryption, double opt-in mechanism |
The ROPA and a UODO Audit
During a UODO audit, the Record of Processing Activities is one of the first documents the inspector requests. UODO verifies:
Whether a ROPA exists at all — the absence of a ROPA is a violation of Article 30 GDPR.
Whether it is complete — whether it contains all required elements.
Whether it is current — whether it reflects the organisation’s actual processing activities.
Whether it is consistent with other documents — e.g., with privacy notices, data processing agreements, and data protection policies. Inconsistencies (e.g., the ROPA indicates a 3-year retention period while the privacy notice states 5 years) are treated as a signal of data management problems.
UODO has imposed fines on organisations for the absence or incompleteness of a ROPA — on both small companies and large public entities.
Most Common ROPA Mistakes
No record at all — the organisation does not maintain a ROPA, citing the Article 30(5) exemption (fewer than 250 employees). As explained above, this exemption is virtually inapplicable.
One-off ROPA — a record prepared in 2018 during the GDPR implementation and never updated since. Processing activities change — the ROPA must reflect this.
Vague entries — “we process customer data for business purposes” instead of specific purposes, legal bases, and retention periods.
No retention periods — the organisation has not defined how long it retains data. This violates both Article 30 (ROPA) and Article 5(1)(e) (storage limitation principle).
Omitting the processor record — the organisation maintains a controller ROPA but does not maintain a record of categories of processing activities as a processor (despite processing data on behalf of clients).
Inconsistency with privacy notices — the ROPA indicates different purposes or legal bases than the privacy notices provided to data subjects.
No security measures — the organisation does not describe the technical and organisational measures in the ROPA.
The ROPA as the Foundation of a Data Protection System
The ROPA is not an end in itself — it is a tool that supports other elements of the data protection system:
It helps prepare privacy notices — the ROPA shows what purposes, legal bases, and retention periods should be stated in the notices.
It supports DPIAs — the ROPA identifies processing activities that may require an impact assessment.
It facilitates data subject rights — the ROPA shows what data about a person is processed and where it is located, speeding up the handling of access or erasure requests.
It aids processor management — the ROPA identifies which processors you work with and what data you entrust to them.
It supports retention management — the ROPA is the starting point for implementing a data deletion procedure after the retention period expires.
Checklist — Record of Processing Activities
- Check whether you maintain a ROPA — if not, create one immediately.
- Conduct a processing activity inventory — review all departments.
- For each process, complete all required fields from Article 30(1).
- Determine retention periods — specific, for each purpose.
- Identify recipients and transfers outside the EEA.
- Describe security measures.
- If you are a processor — create a separate record under Article 30(2).
- Check ROPA consistency with privacy notices and data processing agreements.
- Schedule regular reviews — at least once per quarter.
- Store the ROPA securely — accessible to the DPO and persons responsible for data protection.
Need Help With Your Record of Processing Activities?
A well-prepared ROPA is the foundation of GDPR compliance — and the first document UODO will see during an audit. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we help companies and institutions prepare and update their Records of Processing Activities — from process inventories, through determining retention periods, to ensuring consistency with the entire GDPR documentation set.
