ROPA (record of processing activities)
Record of processing activities under Article 30 GDPR — mandatory from one employee
TL;DR
The record of processing activities (ROPA) is a register maintained under Article 30 GDPR of all processing activities of a controller or processor. It contains nine mandatory fields (e.g., purposes, categories of data, recipients, retention periods) and must be made available to the supervisory authority upon request.
What is the ROPA (record of processing activities)?
The ROPA (also referred to as the record of processing activities) is mandatory for all controllers under Article 30(1) GDPR — the exemption referred to in Article 30(5) for organizations with fewer than 250 employees almost never applies in practice, as it excludes routine processing such as HR data, customer CRM, or newsletters. Processors maintain their own ROPA under Article 30(2) with different mandatory fields. Supervisory authorities begin 85% of all inquiries by requesting the ROPA (BfDI 2024 Activity Report).
Practical example
A 30-person mechanical engineering company documents its processing activities in the ROPA: - Payroll (jointly with the tax adviser as processor) - CRM customer master data (in-house database) - Applicant management (e-recruiting SaaS) - Video surveillance of the workshop - Newsletter distribution (Cleverreach) For each entry, nine mandatory fields are documented: purpose, legal basis, categories of data, recipients, third-country transfer, retention periods, TOM reference, controller, processor (where relevant).