Records of Processing Activities (RoPA)

Comprehensive documentation required under GDPR Article 30 that inventories an organization's data processing operations, including purposes, data categories, recipients, transfers, and retention periods. Controllers and processors must maintain these records in writing (including electronic format) to demonstrate compliance and enable supervisory authority oversight. A complete RoPA includes: processing purposes and legal bases, data categories and subject types, recipient categories including international transfers, retention schedules, and security measures. Organizations with fewer than 250 employees may be exempt unless processing is regular, involves special category data, or creates high risks. RoPAs serve as compliance foundations—they inform Privacy Impact Assessments, guide data subject rights responses, support breach investigations, and demonstrate accountability during audits. Best practice involves maintaining RoPAs as living documents, reviewing them at least annually, updating them when processing changes, and integrating them into broader data governance programs.