The record of processing activities is one of the first documents requested during a supervisory authority inspection. In theory, the obligation flows directly from Article 30 GDPR — in practice, many organisations maintain it in a way that falls short of requirements: too general, outdated and disconnected from actual processing operations.
This article explains what the record of processing activities must contain, when it is mandatory, what a correct entry looks like and what mistakes most frequently emerge during audits.
What is the record of processing activities and what is its legal basis
The record of processing activities (ROPA) is a document describing all operations performed on personal data within an organisation. Every processing activity — customer management, recruitment, employee records, newsletter, invoice archiving — should have its own entry in the record.
The obligation to maintain the record flows from Article 30 GDPR. The provision specifies exactly which elements each entry must contain — both for controllers and processors.
The record serves as the central tool for documenting GDPR compliance. Without it, a controller cannot demonstrate that personal data is processed in accordance with the law — which constitutes a breach of the accountability principle under Article 5(2) GDPR.
When is the record of processing activities mandatory
Formally, Article 30 GDPR exempts organisations with fewer than 250 employees from the obligation — but only on condition that the processing is not regular, does not concern special categories of data and does not present a risk to the rights and freedoms of individuals.
In practice, this exception is narrow. Any organisation that:
- processes customer data on a regular basis (a shop, an office, a clinic),
- processes employee data,
- uses CCTV monitoring or carries out marketing activities,
- processes health, biometric or other special category data
— should maintain the record regardless of headcount. The obligation therefore applies in practice to virtually every organisation that processes personal data.
What the record of processing activities must contain — elements required by Article 30 GDPR
Each entry in the controller’s record must include:
Controller details — name and contact details of the controller, joint controllers (if applicable) and the DPO.
Purpose of processing — a clearly defined purpose, for example “performance of a sales contract”, “handling complaints”, “sending newsletters”. A generic purpose such as “marketing” is insufficient.
Legal basis — the specific basis under Article 6 GDPR (and Article 9 for special categories), for example Article 6(1)(b) (performance of a contract) or Article 6(1)(a) (consent). A detailed overview of all legal bases is available in the article on legal bases for processing personal data.
Categories of data subjects and data — description of the groups of individuals whose data is processed (customers, employees, applicants) and the categories of data (contact data, identification data, financial data).
Recipients of data — entities to whom data is or may be transferred: IT service providers, courier companies, accounting firms, payment operators. Where data is transferred outside the EEA — the destination country and the safeguards applied must be indicated.
Retention period — planned deadlines for erasure or the criteria used to determine those deadlines. An entry stating “indefinitely” is not acceptable. Detailed retention periods for different data categories are discussed in the article on personal data retention.
Description of security measures — a general description of the technical and organisational security measures in place, such as encryption, access controls, pseudonymisation.
Example entry in the record of processing activities
Below is an example entry for the activity “Customer management” at a service company:
Activity name: Customer management — performance of service contracts
Purpose of processing: Performance of a service contract, handling enquiries and complaints
Legal basis: Article 6(1)(b) GDPR (performance of a contract); Article 6(1)(c) GDPR (legal obligation — invoicing)
Categories of data subjects: Individual and business customers
Categories of data: Name, address, email address, phone number, invoice data (VAT number, company address), order history
Recipients: CRM system provider (data processing agreement), accounting firm (data processing agreement), courier company (data processing agreement)
Transfers outside EEA: Not applicable
Retention period: 5 years from the end of the tax year (invoices); 3 years from contract termination (correspondence data — limitation period for claims)
Security measures: Database encryption, role-based access control, pseudonymisation in test environment
In practice, an organisation will typically have between ten and several dozen such entries — one for each distinct processing activity.
Record of processing activities for processors — a separate obligation
Article 30 GDPR imposes the obligation to maintain a record not only on controllers but also on processors. A processor’s record has a slightly different structure — instead of purposes of processing, it identifies the controllers on whose behalf data is processed.
Organisations acting as processors — accounting firms, IT companies, marketing agencies handling client data on behalf of their clients — must maintain a record of all categories of processing activities carried out on behalf of each controller.
Most common mistakes in the record of processing activities
Based on supervisory authority inspections and audit practice, the following mistakes appear most frequently:
Overly generic purpose descriptions. “Marketing” instead of “sending newsletters to subscribers on the basis of consent” is a description that says nothing about the actual process.
Failure to update. A record created at GDPR implementation and not updated since does not reflect reality. New systems, new suppliers, new processes — all should be reflected in the record.
Missing retention period. One of the most frequent omissions. “Until the end of the contract” is insufficient — a specific deadline or a clear criterion for determining the deadline is required.
Missing legal basis. Listing “consent” as the basis for all activities — without checking whether other bases (contract, legal obligation) would be more appropriate.
No link to risk assessment. The record should be connected to risk assessment — every processing activity should have an associated risk assessment. Without this, the record is incomplete from the accountability perspective.
Multiple uncoordinated files. Excel, Word, PDF — each department maintains its own file. The absence of a central record makes it impossible to control consistency and currency of entries.
Managing the record of processing activities in iGDPR
iGDPR includes a dedicated record of processing activities module, which serves as the central reference point for all other system functionalities. Every processing activity is linked to risk assessment, authorisations, data processing agreements, privacy notices and retention tasks — all in one place.
The record in iGDPR contains all elements required by Article 30 GDPR, is linked to the risk assessment and retention modules, enables generation of reports and PDF documents, signals the need for updates when changes occur, and supports multiple controllers within a single system.
Summary
The record of processing activities is the foundation of GDPR documentation — without it, a controller cannot demonstrate compliance or prepare for a supervisory authority inspection. The key is not merely having the record, but maintaining it: keeping it current, detailed and linked to the organisation’s actual processes.
Key principles:
- each distinct processing activity is a separate entry in the record,
- the record must contain all elements specified in Article 30 GDPR,
- the retention period must be specific — “indefinitely” is not acceptable,
- the record should be updated continuously, whenever processes change,
- the record should be linked to risk assessment and the register of processing agreements.
Frequently asked questions about the record of processing activities
The formal exception applies to organisations with fewer than 250 employees that do not process data regularly and do not process special categories of data. In practice, this exception is very narrow — the vast majority of organisations should maintain the record.
As many as there are distinct processing activities in the organisation. A typical service company will have between ten and thirty entries — customer management, payroll, recruitment, marketing, CCTV, document archiving. Each distinct purpose is a separate activity.
GDPR does not prescribe the form — the record may be paper-based. In practice, electronic form is almost essential given the need for continuous updates and connection to other GDPR documentation.
Whenever a significant change occurs — a new process, a new system, a new supplier, a change in purpose or data scope. A full review of the entire record at least once a year is also recommended.
The absence of a record breaches the accountability principle and may result in an administrative fine from the supervisory authority. It is one of the first documents verified during an inspection.
Yes — Article 30 GDPR imposes the obligation on both controllers and processors. A processor’s record has a different structure from a controller’s.
Maintain your record of processing activities in a system that connects it to your entire GDPR documentation
iGDPR includes a dedicated ROPA module linked to risk assessment, authorisations, processing agreements and data retention. Every entry contains all elements required by Article 30 GDPR. See how it works in practice.
Try it free — 21 days, no commitment
