Definition. A Record of Processing Activities (ROPA) is the central inventory required by GDPR Article 30. It documents every processing activity an organization conducts: purposes, data categories, recipients, transfers, retention, security. Both controllers (Article 30(1)) and processors (Article 30(2)) must maintain a ROPA. The ROPA is the first document a supervisory authority requests in any inspection — it is the foundation of demonstrating accountability under Article 5(2).
A ROPA template accelerates GDPR compliance dramatically. Rather than building from scratch, this guide provides ready-to-use templates for both controller and processor versions, sample entries for the most common processing activities (HR, marketing, customer service, IT), and the practical workflow to maintain the ROPA over time.
For the broader compliance framework, see our data privacy compliance guide. For audit methodology, GDPR audit methodology. For the related vendor audit, Article 28 audit checklist.
Key takeaways
- Article 30 GDPR requires every controller and processor to maintain a ROPA.
- Companies under 250 employees are exempt only if processing is occasional, doesn’t involve special categories, and doesn’t pose a risk to data subjects (rare in practice).
- The controller ROPA has 8 mandatory fields, the processor ROPA has 5.
- A complete ROPA is the first document requested in any DPA inspection.
- Most CNIL sanctions in 2024-2025 cited ROPA gaps as an aggravating factor.
1. When is a ROPA mandatory?
Article 30(1) requires a controller ROPA. Article 30(2) requires a processor ROPA. Article 30(5) provides an exemption for organizations under 250 employees — but only if all three conditions are met:
- Processing is occasional
- Does not include special categories of data (Article 9) or criminal data
- Is unlikely to result in a risk to the rights and freedoms of data subjects
In practice, virtually no organization meets all three conditions. Any company with employees has HR data (regular processing). Any company with customers has CRM data. Treat the ROPA as mandatory for everyone.
2. Controller ROPA — mandatory fields (Article 30(1))
For each processing activity, document:
| # | Field | Example |
|---|---|---|
| 1 | Name and contact details of the controller | “Acme SAS, 12 rue X, 75001 Paris, dpo@acme.com” |
| 2 | Joint controller(s) where applicable | “[Marketing Partner] for joint advertising campaigns” |
| 3 | DPO contact (if designated) | “Jean Dupont, dpo@acme.com” |
| 4 | Purposes of the processing | “Manage customer accounts and orders” |
| 5 | Categories of data subjects and personal data | “Customers; identification, contact, order history, payment method” |
| 6 | Categories of recipients | “Internal: customer support, finance. External: payment processor (Stripe), shipping provider (DHL)” |
| 7 | Transfers to third countries (with safeguards) | “Stripe Inc, USA — EU-US Data Privacy Framework certification” |
| 8 | Retention periods | “Customer accounts: 3 years post last interaction. Order data: 10 years (commercial law)” |
| 9 | General description of TOMs (Article 32) | “TLS 1.3 in transit, AES-256 at rest, MFA on admin access, ISO 27001 certified” |
3. Processor ROPA — mandatory fields (Article 30(2))
| # | Field | Example |
|---|---|---|
| 1 | Name and contact details of processor (and each controller served) | “ProcessorCo for ClientA, ClientB, ClientC” |
| 2 | DPO contact (if designated) | — |
| 3 | Categories of processing carried out on behalf of each controller | “Hosting and processing of CRM data” |
| 4 | Transfers to third countries with safeguards | — |
| 5 | General description of TOMs | — |
4. Sample controller ROPA entry — HR
Processing activity: Employee personnel files
Controller: Acme SAS (12 rue X, 75001 Paris)
Joint controllers: None
DPO: dpo@acme.com
Purposes:
- Employment contract execution
- Payroll management
- Performance evaluations
- Compliance with social security and tax obligations
Lawful basis: Article 6(1)(b) (contract execution) + Article 6(1)(c)
(legal obligation for payroll/tax)
Data subjects: Current employees (87), former employees (152)
Data categories:
- Identity: name, address, date of birth, nationality, photo
- Contact: personal email, phone
- Employment: contract, salary, position, evaluations, training
- Banking: IBAN for payroll
- Family: dependents (for benefits/tax purposes only)
Recipients:
- Internal: HR, Finance, direct managers (for evaluations)
- External: Payroll provider (PayrollCo, FR), Social security (URSSAF),
Tax authority (DGFiP), Pension provider (XYZ)
International transfers: None
Retention:
- Active employees: duration of employment
- Former employees: 5 years post-departure (labor law prescription)
- Pay slips: 5 years (employer copy)
- Tax documents: 6 years (tax obligations)
Security measures (TOMs):
- Access restricted to HR + direct managers via role-based access
- HR system: TLS 1.3, AES-256 at rest
- MFA mandatory for HR system access
- Annual security awareness training for HR staff
- Backup: daily, retained 90 days, encrypted
DPIA conducted: No (standard HR processing per CNIL guidance)
5. Sample controller ROPA entry — marketing
Processing activity: Email marketing to opted-in subscribers
Controller: Acme SAS
DPO: dpo@acme.com
Purposes: Send marketing emails about products, events, content
Lawful basis: Article 6(1)(a) (consent) — explicit opt-in via signup form
Data subjects: Newsletter subscribers (12,500)
Data categories: Email address, first name, opt-in date and source,
click/open behavior
Recipients:
- Internal: Marketing team
- External: Email service provider (Mailchimp, USA — EU-US DPF certified)
International transfers: USA via Mailchimp DPF
Retention:
- Active: as long as consent maintained
- After unsubscribe: 24 months (proof of consent for liability period)
Security:
- TLS 1.3 to ESP
- Mailchimp SOC 2 Type II + ISO 27001
- API key rotation quarterly
DPIA: No
6. Sample controller ROPA entry — analytics
Processing activity: Website analytics
Controller: Acme SAS
DPO: dpo@acme.com
Purposes: Understand site usage, improve content and user flows
Lawful basis: Article 6(1)(a) (consent via cookie banner)
Data subjects: Site visitors (~100,000/month)
Data categories: Pseudonymized event data (page views, clicks, time
on site), browser/device info, truncated IP
Recipients:
- Internal: Marketing team for reports
- External: Google LLC (Google Analytics 4)
International transfers: USA — Google LLC has Swiss-US DPF certification.
Standard Contractual Clauses signed as fallback.
TIA conducted: Sep 2025, low-risk given pseudonymization.
Retention: 14 months (GA4 default)
Security:
- HTTPS for all data transmission
- IP anonymization enabled in GA4
- No PII passed to GA4
DPIA: Yes (December 2024) — see DPIA-2024-003
7. Maintenance workflow
A ROPA is not a one-time document. Maintenance:
Quarterly (15-30 min)
- Review changes in vendor list (new sub-processors)
- Confirm retention periods still applied
- Check transfer mechanisms still valid (DPF certifications, SCCs)
Annually (4-8 hours)
- Full review of every entry
- Update word counts and data subject volumes
- Re-confirm lawful basis and DPIA status
- Add new processing activities introduced during the year
- Archive obsolete entries
Triggered review (when…)
- New processing activity introduced
- New vendor added
- Major regulation update (e.g., new EDPB guidelines)
- DPA inspection notification
8. Common ROPA failures (from CNIL inspections)
- Missing entries for marketing tools (analytics, A/B testing, heatmaps) added without privacy review
- Generic security descriptions (“appropriate technical measures”) without specifics
- Incorrect lawful basis (consent invoked when contract or legitimate interest applies)
- Out-of-date retention periods not aligned with actual deletion
- Sub-processors not listed — only top-level vendor named
- No documented review process — entries not updated for 18+ months
- No DPIA cross-reference for high-risk processing
- Missing international transfer details — country named but not safeguard mechanism
9. ROPA in spreadsheet vs. dedicated tool
For organizations with <30 processing activities and <10 vendors, a spreadsheet works. Beyond that:
- Spreadsheets become unwieldy for cross-referencing (sub-processors, DPIAs, lawful bases)
- No automation of vendor data refresh
- No alerts on stale entries
- No multi-language support if FR + EN ROPA needed
- No audit trail of changes
Legiscope automates ROPA maintenance: AI parses vendor DPAs to populate processor entries, alerts on missing TIA for international transfers, version-controls every change, generates the export the DPA requests during inspections. For a 100-employee company with 30 processing activities, the time saving is 100-200 hours per year.
10. The “first document the regulator asks for”
Every CNIL inspection begins with a request for the ROPA. The CNIL inspector then samples 5-10 entries and asks for supporting documentation: signed DPAs, DPIAs, consent proof, retention deletion logs.
If the ROPA is incomplete or out of date, the rest of the inspection cascades unfavorably. If the ROPA is complete and well-maintained, the inspection is largely a confirmation exercise.
For the related implementation guides: Article 28 RGPD, Article 35 RGPD (DPIA), data privacy compliance guide, DPO job description.
Conclusion
The ROPA is not paperwork — it is the operational nerve center of a privacy program. Every other compliance artifact (DPIA, DPA, breach response, data subject request handling) traces back to entries in the ROPA. Investing in a complete, well-maintained ROPA pays back the first time a regulator asks for it.
FAQ
Is a ROPA mandatory for small businesses?
Article 30(5) provides a narrow exemption for organizations under 250 employees, but only if processing is occasional, doesn’t include special categories, and poses no risk. In practice, virtually no business meets all three conditions. Treat the ROPA as mandatory.
What’s the difference between a controller ROPA and a processor ROPA?
Controllers maintain a ROPA listing all their processing activities (Article 30(1), 8 mandatory fields). Processors maintain a ROPA listing the categories of processing they perform on behalf of each controller (Article 30(2), 5 mandatory fields).
How often should the ROPA be updated?
Quarterly for vendor and sub-processor changes. Annually for full review. Immediately when a new processing activity is introduced or when a major regulation update affects an existing entry.
Does the ROPA need to be in a specific format?
GDPR doesn’t mandate a format. Article 30(3) requires it to be in writing, including electronic form, and made available to the supervisory authority on request. Spreadsheets work for small operations; dedicated tools become necessary beyond 30 activities or 10 vendors.
Can I delegate ROPA maintenance to my DPO?
The DPO can coordinate ROPA maintenance but the controller remains responsible (Article 24). Best practice: business unit owners populate entries for their processing, the DPO reviews for completeness and quality, and the controller approves quarterly.
See Legiscope in action
AI-powered GDPR compliance that saves 340+ hours/year. Trusted by compliance professionals across Europe.
Request a demo
