In one sentence. GDPR Article 30 ROPA requires a structured register with 8 mandatory fields for controllers (Article 30(1)) and 6 for processors (Article 30(2)), expandable to 14 fields total under EDPB Guidelines and good practice. The data model must be queryable per activity, per data category, per recipient, and per retention class — which is why a spreadsheet rarely survives a serious audit and a database schema is the de facto standard.
The official template published by CNIL, ICO and most EU DPAs maps directly to these fields. The EUR-Lex reference is Regulation (EU) 2016/679, Article 30.
Key takeaways
- 8 mandatory controller fields under Article 30(1)(a)-(g).
- 6 mandatory processor fields under Article 30(2)(a)-(d).
- Article 30 applies to all organisations except <250 employees with no risky/regular processing.
- ROPA must be made available to the supervisory authority on request (Article 30(4)).
- EDPB recommends additional fields for accountability (lawful basis, DPIA reference, breach log link).
1. Article 30(1) text — controller obligations
“Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: (a) the name and contact details of the controller… (b) the purposes of the processing; © a description of the categories of data subjects and of the categories of personal data; (d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; (e) where applicable, transfers of personal data to a third country or an international organisation… and the documentation of suitable safeguards; (f) where possible, the envisaged time limits for erasure of the different categories of data; (g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).”
2. Mandatory controller fields (8)
| # | Field | Article | Type |
|---|---|---|---|
| 1 | Controller identity + contact | 30(1)(a) | Text |
| 2 | DPO contact (if applicable) | 30(1)(a) | Text |
| 3 | Joint controller details (if applicable) | 30(1)(a) | Text |
| 4 | Purposes of processing | 30(1)(b) | Text |
| 5 | Categories of data subjects | 30(1)© | Multi-select |
| 6 | Categories of personal data | 30(1)© | Multi-select |
| 7 | Categories of recipients | 30(1)(d) | Multi-select |
| 8 | Third country transfers + safeguards | 30(1)(e) | Structured |
| 9 | Retention periods per category | 30(1)(f) | Duration |
| 10 | Security measures (Article 32) | 30(1)(g) | Reference |
3. Mandatory processor fields (6)
Article 30(2) lighter requirements:
- Processor identity + DPO
- Each controller for whom processing is performed
- Categories of processing per controller
- Third country transfers + safeguards
- Security measures
- Sub-processor list
4. EDPB-recommended additional fields
Beyond mandatory, EDPB Guidelines and accountability practice add:
- Lawful basis (Article 6) per activity
- Special category basis (Article 9(2)) if applicable
- DPIA reference (Article 35)
- LIA reference (legitimate interest assessment)
- Breach log link (Article 33)
- Consent management mechanism
- Data source (collected from subject, obtained from third party)
- Automated decision-making flag (Article 22)
5. Recommended database schema
processing_activity
id, name, purpose, lawful_basis, special_category_basis,
controller_id, joint_controller_ids[], processor_ids[],
data_subject_categories[], personal_data_categories[],
recipient_categories[], third_country_transfers[],
retention_rules[], security_measures_ref,
dpia_id, lia_id, automated_decision boolean,
created_at, updated_at, owner_id
This schema satisfies Article 30 + EDPB recommendations and is what serious tools deploy.
6. Article 30(5) exemption
The <250 employees exemption is not a blanket exemption. It excludes:
- Processing that is regular (i.e. not occasional)
- Processing likely to result in a risk to rights and freedoms
- Processing of special categories (Article 9)
- Processing of criminal data (Article 10)
In practice, almost no SaaS, e-commerce, HR, or marketing operation qualifies for exemption.
7. Format and availability
Article 30(3): record must be in writing, including in electronic form. Article 30(4): made available to the supervisory authority on request. CNIL and ICO sanction “ROPA non disponible” as Article 83(4) violation.
8. Worked example: SaaS billing activity
| Field | Value |
|---|---|
| Purpose | Subscription billing and invoicing |
| Lawful basis | Article 6(1)(b) contract |
| Data subjects | Customers (B2B contacts) |
| Personal data | Name, email, billing address, payment data |
| Recipients | Stripe (processor, USA), accountant (joint controller) |
| Transfers | USA - SCCs + TIA (Stripe) |
| Retention | 10 years (legal obligation) |
| Security | Encryption at rest/transit, MFA, ISO 27001 |
| DPIA | Not required (low risk) |
9. Common compliance failures
- Using a static Excel file that no one updates
- Missing the third-country transfer column
- Generic “appropriate security” instead of measurable controls
- No link between ROPA and DPIA register
- Failure to separate controller vs processor activities
10. Update cadence
EDPB recommends review at least annually, plus on:
- New processing activity launch
- New processor onboarding
- Material change in data flows
- Post-breach review
11. Tooling
Legiscope provides an Article 30-ready schema with all 14 fields, processor integration, DPIA cross-linking, breach log connection, and DPA export. CSV/PDF export in 24 languages.
For more on the overall compliance framework, see our GDPR compliance guide 2026 and Article 28 DPA guide.
FAQ
What fields are mandatory in a GDPR Article 30 ROPA?
8 fields for controllers (Article 30(1)(a)-(g)): identity, DPO, purposes, data subject categories, personal data categories, recipient categories, third-country transfers, retention periods, security measures. 6 fields for processors (Article 30(2)).
What’s the difference between Article 30(1) and Article 30(2)?
30(1) covers controllers (8 fields, including purposes and lawful basis context). 30(2) covers processors (6 fields, focused on which controllers and what categories of processing).
Is a spreadsheet enough for Article 30?
Legally yes, practically no. Once you have >20 activities, multiple processors, and DPIA cross-references, a database schema is the only sustainable model.
Do small businesses need a ROPA?
Article 30(5) exempts <250 employees only if processing is occasional, low-risk, and excludes special categories. Almost no SaaS/e-commerce qualifies.
Where can I find an official ROPA template?
CNIL, ICO, and Garante publish official templates. The EUR-Lex source is Regulation (EU) 2016/679, Article 30.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
