A Record of Processing Activities, or ROPA, is a written document that lists every way your business collects, uses, stores, shares, and protects personal data.
Under Article 30 of the GDPR, almost every company operating in or targeting the EU needs one, whether you have 250 employees or just five. Article 30 of GDPR does include a narrow exemption for organisations with fewer than 250 employees, but the exception only applies where the processing is truly occasional, unlikely to risk people's rights and freedoms, and does not involve special-category data or data relating to criminal convictions/offences.
In practice, if you run payroll, send marketing emails, use Google Analytics, or have a customer database, you need a ROPA. RoPA is the fastest way to answer "what data do we have, where is it, and why?" - and it's often the first document regulators ask to see.
Below is a clear, practical guide to help you create, maintain, and audit-proof your ROPA.
- 1. What's a ROPA and When Do You Need One?
- 2. What Information Must Your ROPA Document?
- 3. Step-by-Step Guide to Creating Your ROPA
- 3.1. Step 1: Identify all your processing activities
- 3.2. Step 2: Define the purpose of each activity
- 3.3. Step 3: List categories of personal data and data subjects
- 3.4. Step 4: Identify recipients and international transfers
- 3.5. Step 5: Record retention periods
- 3.6. Step 6: Summarize security measures
- 3.7. Step 7: Create your final ROPA document
- 4. ROPA Templates and Examples by Business Type
- 4.1. Example: SaaS Company ROPA (Controller)
- 4.2. Example: Ecommerce Store ROPA (Controller)
- 4.3. Example: HR Department ROPA (Processor)
- 5. How Often Do You Update Your ROPA?
- 6. What Do Regulators and Auditors Look for in ROPAs?
- 7. What Tools Automate ROPA Creation?
- 8. Summary
What's a ROPA and When Do You Need One?
A Record of Processing Activities (ROPA) is the GDPR's required internal map of every single way your business handles personal data, from the moment it's collected to the day it's deleted or anonymized.
Legally, the ROPA must be kept in writing (including electronic form) and you must be able to produce it for a supervisory authority on request.
Article 30(1) and 30(2) set clear triggers for when a ROPA is needed. You must maintain a ROPA if you are a controller or processor, and any of the following apply:
- Your organization has 250 or more employees,
- The processing you carry out is likely to result in a risk to people's rights and freedoms,
- The processing is not occasional, or
- You handle special-category or sensitive data (health, religion, ethnicity, political opinions, etc.)
The "small-organisation derogation" is interpreted narrowly in practice. If you routinely run HR, customer accounts, marketing, analytics, or vendor management, you are usually documenting processing that is "not occasional".
If you regularly collect personal data from customers, employees, website visitors, or app users, you should assume a ROPA is required. The European Data Protection Board (EDPB) has stated that "occasional" processing does not include normal business activities like running a website, keeping employee records, using analytics, or sending marketing emails. In other words, most companies fall under the requirement even if they have fewer than 250 employees.
Historically, ROPAs replaced the old "data controller registration" systems that many EU countries used. Instead of notifying a regulator about your data processing, the GDPR now requires you to document it internally and produce it on demand. Your ROPA is your proof that you understand your data flows and are complying with the GDPR.
What Information Must Your ROPA Document?
Article 30 requires data controllers and data processors to document different details, but most businesses perform both roles at different times. This means you might need to document both of the following lists.
Your ROPA for data controllers (the company that decides why and how data is processed) must include:
- The name and contact details of your organization
- The name and contact details of your Data Protection Officer (DPO) if you have one
- The purposes of each processing activity
- Categories of personal data involved
- Categories of data subjects (people the data refers to), such as customers, employees, website visitors
- Categories of recipients you share the data with
- Data retention timelines for each category
- A general description of security measures
- If you transfer data outside the European Economic Area (EEA), note the transfer mechanism
Data processors have similar obligations, with key additions: they must name each controller they process for, list any sub-processors they engage, and document any third-country transfers (and safeguards) within those processing activities.
Think of the ROPA as an inventory. Each "processing activity" gets its own entry. Sending newsletters, managing employee files, running website analytics, and handling customer support tickets are four separate activities, even if the same software is involved.
The implication for your business is straightforward: your ROPA should read like a high-level map of your data ecosystem. Each processing activity should be easy for a regulator to understand without asking follow-up questions.
Step-by-Step Guide to Creating Your ROPA
Begin by naming a single owner of the project. Ideally, someone who understands the business and can chase answers without endless meetings. That person then conducts what is essentially an internal data census. Walk department by department. Ask marketing which mailing-list and analytics tools they use. Ask HR about payroll providers, applicant tracking systems, and benefits platforms. Ask the web or product team about cookies, live-chat widgets, A/B testing tools, and hosting locations. Ask finance about invoicing and payment processors.
The list usually grows faster than anyone expects, and that moment of realization -- "we use how many tools?" -- is often the point where leadership finally grasps the scale of their privacy exposure.
With the raw list in hand, send a short, plain-language questionnaire to the person closest to each tool: What personal data goes in? Why do we need it? Who else sees it? How long do we keep it? Where is it stored or transferred? Most replies come back in minutes when the questions are this concrete.
Now, expand that initial census into the full ROPA through these detailed steps.
Step 1: Identify all your processing activities
A "processing activity" is any operation involving personal data, like collecting it, storing it, analyzing it, sharing it, or deleting it. This is your master list of every way data flows through the business. Group them logically—marketing activities together, HR together—but keep each one separate enough to stand alone.
Some common examples include:
- Website analytics
- Customer support tickets
- Newsletter subscriptions
- Employee payroll
- App account creation
If an activity involves personal data and is part of your normal business operations, it belongs in your ROPA.
Step 2: Define the purpose of each activity
For each processing activity, write a short, clear statement explaining why you process the data. The GDPR requires you to be specific. Broad terms like "business operations" will not cut it, but focused descriptions work well.
For instance, "Marketing" could be specified as "to send promotional emails about new products to subscribed customers." "Improving user experience" might become "to analyze website behavior and personalize content recommendations." "Compliance with legal obligations" could detail "to retain financial records for tax authority audits."
These statements help tie your activities back to legitimate interests or legal bases under Article 6, making the ROPA a stronger compliance tool overall.
Article 30 does not explicitly require you to record the Article 6 lawful basis in the RoPA. However, many organisations track lawful basis alongside each activity because it makes audits, DPIAs, and privacy notice updates faster.
Step 3: List categories of personal data and data subjects
For this step, you'll list broad categories, not individual data points. EDPB guidance confirms that category-level descriptions are appropriate and sufficient.
For personal data, examples include:
- Contact details (like email and phone numbers)
- Login credentials (usernames and passwords)
- IP addresses and device identifiers
For data subjects, categories might be:
- Customers
- Employees
- Contractors
- Website visitors
This approach keeps the ROPA concise while still providing the overview regulators expect, and it highlights any sensitive areas, like employee health data, that might require extra scrutiny.
Step 4: Identify recipients and international transfers
Document every entity that receives any of the data. Start with your internal teams like HR or sales, then address external service providers such as email platforms (e.g., Mailchimp), cloud hosts (e.g., AWS), or payment processors (e.g., Stripe).
Be thorough. Overlooking a sub-processor can lead to compliance gaps. If any data crosses borders outside the EU/EEA, note the exact safeguard in place to ensure adequate protection. Common ones include Standard Contractual Clauses (SCCs), which are pre-approved contracts; adequacy decisions for countries like the UK or Japan that the EU deems safe; or Binding Corporate Rules for multinational groups.
This section is crucial because international transfers have been a hot enforcement area since the Schrems II court ruling, and getting it wrong can invalidate your entire data flow.
Practical transfer rule post-Schrems II: documenting "SCCs" is not the end of the analysis. You should also record (and be able to evidence) a transfer risk assessment and any supplementary measures needed where the recipient country's laws could undermine SCC protections, consistent with EDPB Recommendations on supplementary measures. Use the EU's modern SCCs adopted in 2021 (Decision (EU) 2021/914) where SCCs are your safeguard.
Step 5: Record retention periods
Retention periods must be directly linked to the purpose of the processing, showing that you do not keep data longer than necessary. Vague phrases like "kept until no longer needed" are not sufficient and often draw regulator criticism.
Aim for realistic, specific timelines backed by business needs or law. For example:
- Customer account data: retained for the life of the active account plus 6 years to handle potential disputes or returns
- Payroll data: retained for 7 years as required under national tax law
If a purpose ends (like a marketing campaign), specify automatic deletion processes. This not only meets Article 30 but also supports your broader data minimization efforts, reducing storage costs and breach risks.
Anchor your retention periods in the storage-limitation principle: keep data no longer than necessary for the stated purpose, taking into account any legal retention duties, and set time limits to erase or review stored data.
Step 6: Summarize security measures
Article 30 only requires a general description of your technical and organizational security measures, so keep it high-level without diving into proprietary details.
Some effective examples to include are:
- Access controls
- Encryption at rest and in transit
- Regular vulnerability scanning
- Staff training
- Data minimization practices
Step 7: Create your final ROPA document
Pull everything together into a single, accessible format. A spreadsheet like Excel or Google Sheets is the most common choice for its simplicity and ease of updates, but an internal wiki page or dedicated privacy platform works, too.
The format itself isn't so important. Instead, what matters is clarity, so use columns for each required element and rows for each activity. Make sure the document is easy to produce on short notice for regulators, customers, or auditors, perhaps by storing it in a shared compliance folder with version control.
ROPA Templates and Examples by Business Type
The GDPR intentionally leaves room for flexibility. Regulators like the UK ICO and CNIL in France provide templates showing that it's acceptable to structure your ROPA as a table, spreadsheet, or internal dashboard. The key is completeness, clarity, and accuracy.
Here are a few templates with example business types used for context.
Example: SaaS Company ROPA (Controller)
SaaS Company ROPA Template (Controller)
Organization: [Your Company Name]
DPO/Contact (if appointed): [Name/Email]
Date of last update: [e.g., January 2026]
Version: 1.0
| Processing Activity | User account management | Product analytics | Billing & subscription management | Customer support |
| Purpose | Provide access to the SaaS platform | Improve platform performance | Process payments and manage subscriptions | Resolve user issues and provide assistance |
| Data Subjects | Registered users | Registered users, website visitors | Registered users (paying) | Registered users |
| Personal Data Categories | Name, email, login data, IP address | Device data, usage logs, session metadata | Name, email, billing address, payment details (tokenized) | Name, email, support ticket content, chat logs, attachments |
| Recipients | Internal engineering team, hosting provider | Analytics vendor | Internal finance team, payment processor (e.g., Stripe) | Internal support team, helpdesk tool (e.g., Intercom/Zendesk) |
| International Transfers | US hosting provider (SCCs) | None | US payment processor (SCCs) | US/EU helpdesk provider (SCCs where applicable) |
| Retention Period | Life of account + 2 years | 14 months | Duration of subscription + 7 years (tax/legal obligations) | Duration of support case + 2 years (for disputes) |
| Security Measures | Encryption, access controls, MFA for admin accounts | Pseudonymization, segregation of roles | Tokenization of payment data, encryption in transit/at rest, regular security audits | Encryption, role-based access, logging of access even |
Example: Ecommerce Store ROPA (Controller)
Ecommerce Store ROPA Template (Controller)
Organization: [Your Store Name]
DPO/Contact (if appointed): [Name/Email]
Date of last update: [e.g., January 2026]
Version: 1.0
| Processing Activity | Order processing | Email marketing | Website analytics & personalization | Customer support |
| Purpose | Fulfill purchases and process returns/refunds | Send promotional newsletters, product recommendations, and abandoned cart reminders | Analyze site traffic and improve user experience | Handle inquiries, complaints, and returns |
| Data Subjects | Customers | Customers, newsletter subscribers | Website visitors, customers | Customers |
| Personal Data Categories | Contact details (name, shipping address, phone), billing info (card/tokenized payment data), order history | Email addresses, purchase history (for segmentation), consent records | IP addresses, device information, browsing behavior, cookies/session data | Name, email, phone, order details, support ticket content, chat transcripts |
| Recipients | Payment processors, shipping vendors, internal order fulfillment team | Email service provider (e.g., Klaviyo, Mailchimp) | Analytics provider (e.g., Google Analytics) | Internal support team, helpdesk tool (e.g., Zendesk) |
| International Transfers | Shipping vendor in UK (adequacy decision) | US vendor (SCCs) | US provider (SCCs) | US/EU helpdesk provider (SCCs where applicable) |
| Retention Period | 6 years (tax and accounting legal obligations) | Until withdrawal of consent + 1 year (for proof of prior consent) | 14 months (or shorter if configurable) | Duration of support case + 3 years (for potential disputes) |
| Security Measures | Encryption in transit and at rest, PCI-DSS compliant processes, tokenization of payment data, access controls | Access controls, double opt-in verification, suppression list management, regular consent audits | IP anonymization (where possible), pseudonymization, consent banners, cookie management | Encryption, role-based access, ticket anonymization where feasible, logging of access events |
Example: HR Department ROPA (Processor)
HR Department ROPA Template (Processor)
Organization: [Your HR/Outsourced Payroll Company Name]
DPO/Contact (if appointed): [Name/Email]
Date of last update: [e.g., January 2026]
Version: 1.0
| Processing Activity | Payroll administration | Employee onboarding & records management | Time & attendance tracking | Benefits administration |
| Purpose (as instructed by Controller) | Process employee salaries, deductions, and tax withholdings | Maintain employee files, benefits enrollment, and compliance documentation | Record hours worked, leave requests, and absences for payroll calculation | Enroll employees in health, retirement, and other benefit plans |
| Controller(s) | Client employer(s) | Client employer(s) | Client employer(s) | Client employer(s) |
| Data Subjects | Employees | Employees, new hires | Employees | Employees |
| Personal Data Categories | Names, home addresses, salary data, national IDs/social security numbers, bank details, tax forms | Names, contact details, date of birth, emergency contacts, identification documents, employment contracts, background check results | Clock-in/out times, leave balances, sick days, vacation requests | Names, eligibility data, dependent information, enrollment choices |
| Recipients | Tax authorities, banking institutions (for direct deposit) | Internal HR team, benefits providers (e.g., insurance carriers) | Time-tracking software provider (if subcontracted) | Benefits providers (e.g., 401(k) administrators, health insurers) |
| International Transfers | None | None (or as specified by controller) | None | None (or US providers with SCCs if applicable) |
| Retention Period | As instructed by the controller (typically 7 years for tax compliance) | As instructed by the controller (typically duration of employment + 7 years) | As instructed by the controller (typically 3–7 years depending on labor law) | As instructed by the controller (typically duration of plan participation + 6 years) |
| Security Measures | Encryption in transit and at rest, role-based access controls, audit logging, secure file transfer protocols | Encryption, access restricted to authorized personnel only, regular access reviews, secure document storage | Role-based access, pseudonymization where feasible, secure API connections | Encryption, secure transmission of sensitive data, vendor due diligence, data minimization |
How Often Do You Update Your ROPA?
Review the entire ROPA at least annually and update it immediately whenever your practices change in a relevant way. For example, if you onboard a new vendor, launch a new feature, start collecting new data types, or change a data retention policy. Many organizations tie the annual review to the calendar year-end or to the renewal of cyber insurance - two natural moments when attention is already on risk and compliance.
What Do Regulators and Auditors Look for in ROPAs?
When an inspector or certification body requests your ROPA, they are testing five core questions:
- Does the document exist at all?
- Can you produce the actual current RoPA quickly (not just a template)? Ireland's DPC has said organisations should keep it 'ready to go' and warned that outdated transfer references (eg Privacy Shield) are a red flag
- Does it reflect the reality they can observe from your public-facing Privacy Policy and website?
- Are third parties and international transfers accurately named and legally covered?
- Are retention periods specific and defensible (the phrase "as long as necessary" almost guarantees follow-up questions)?
- Can you demonstrate ongoing maintenance of the document?
What Tools Automate ROPA Creation?
For companies with fewer than roughly 50 processing activities, a Google Sheet or Excel file backed by the ICO template is perfectly adequate and costs nothing. But once you cross that threshold, it may be easier to use an automation tool. These tools scan your environment, map your data flows, and generate Article 30-compliant reports.
You don't need software to comply with Article 30 - spreadsheets work for many organisations. Consider automation when your processing activities change frequently, you have many vendors/systems, or keeping the RoPA current is becoming a monthly firefight.
Tools like Vanta, Securiti, DataGuard, and Osano can scan cloud environments, detect new data flows, and regenerate an up-to-date ROPA automatically.
Summary
A ROPA is your business's evidence of GDPR compliance. Creating one forces you to understand your data flows, update your privacy documentation, and reduce your risk in an audit.
If you run a business that regularly handles customer or employee data, assume you need a ROPA. Update it whenever your processing changes. And make sure the document reflects what your organization actually does, not what you hope it does.
Make sure your ROPA includes the following:
- Every significant flow of personal data has its own entry.
- Every vendor that receives personal data is explicitly named.
- Retention periods are concrete and justified by law or legitimate interest.
- International transfers are identified and the legal safeguard is documented.
- Security measure descriptions, at a high level, are present.
- The document carries a clear date, version number, and management approval.
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.