Term: Records of Processing Activities (RoPA)
The Records of Processing Activities, or RoPA, provides a clear overview of all aspects of personal data processing, including collection, purposes, types of data, and categories of data subjects.
What is a Records of Processing Activities (RoPA)?
RoPA stands for Records of Processing Activities. The General Data Protection Regulation (The GDPR) requires organizations to keep a RoPA. It is a document that shows every step of what happens to personal data, from collection, purposes to processing and data types.
Records of Processing Activities (RoPA) Under The GDPR
According to Article 30 of the GDPR, “Each controller and, as applicable, its representative, shall keep a record of the processing activities under its responsibility.” This means that every company must have Records of Processing Activities (RoPA) for the personal data they process as a data controller.
Art. 30(2) of the GDPR specifies that “every processor and their representative, where applicable, must keep a record of all processing activities performed on behalf of controllers.” As a result, even if your company primarily processes data for other companies, you must maintain a Records of Processing Activities (RoPA) as well, for the data you process for the controller.
For example, if your company is a service provider for sending email marketing campaigns, and the data controller sends you a list of email addresses and names, you should include that in your Records of Processing Activities (RoPA), along with any data you are processing as a data controller, such as employee personal data.
What Should Be Included In A Records of Processing Activities (RoPA)?
- Name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer; OR the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting.
- Purposes of processing;
- Description of the categories of data subjects and of the categories of personal data;
- Categories of recipients to whom personal data have been or will be disclosed, including third countries;
- Transfer of personal data to a third country and transfer mechanisms;
- Retention periods;
- Technical and organisational security measures