A Record of Processing Activities is the internal inventory GDPR Article 30 requires every controller (and most processors) to maintain. It's the document a regulator can ask for, with very little notice, to verify that the organisation actually knows what data it processes and why.
What's in it
For a controller (Article 30(1)):
- Name and contact details of the controller, joint controller, and DPO.
- Purposes of the processing.
- Categories of data subjects and categories of personal data.
- Categories of recipients (including third-country recipients).
- Transfers to third countries and the safeguards used.
- Retention periods, where possible.
- General description of technical and organisational security measures.
For a processor (Article 30(2)):
- Name and contact details of the processor and each controller for whom they process.
- Categories of processing.
- Transfers to third countries and safeguards.
- General description of security measures.
Who is exempt
Organisations with fewer than 250 employees are exempt — unless the processing is likely to result in a risk to data subjects, is not occasional, or includes special categories of data. In practice, almost no organisation processing personal data routinely qualifies for the exemption.
How vendors fit
Each vendor that processes data on the controller's behalf is a recipient and has to be listed in the RoPA — typically with the data categories transferred to them, the purpose, and any cross-border transfer mechanism.
When a vendor's processing changes (new subprocessor, retention period, transfer destination), the RoPA entry for that vendor has to change too. The RoPA is the regulator-facing artefact; vendor monitoring is the activity that keeps it accurate.
A RoPA that says a vendor is in the EU when their current subprocessor list shows three new US destinations is, at best, embarrassing during an audit.