# Record of processing activities (ROPA)
## Definition of the record of processing activities
The record of data processing activities provides a clear and structured mapping of all personal data processing operations and will be the starting point for control by the Data Protection Authority.
The record is provided for in [Article 30 of the GDPR](https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e3265-1-1). It participates in the documentation of compliance.
As an inventory and analysis document, it must reflect the reality of your personal data processing and allow you to precisely identify:
* the **stakeholders** (representative, subcontractors, co-managers, etc.) involved in the data processing,
* the **categories of data processed**,
* **what the data is used for** (what you do with it), **who accesses** the data and **to whom it is communicated**,
* **how long you keep it**,
* **how it is secured**.
## Why a registry?
The record is made **mandatory** by Article 30 of the RGPD. Beyond the response to the obligation provided for by Article 30, the record is a **tool for monitoring and demonstrating your compliance with the RGPD**.
It allows you to document your data processing and to ask yourself the right questions: do I really need this data for my processing? Is it relevant to keep all the data for so long? Is the data sufficiently protected? Etc.
Its creation and updating are thus an opportunity to **identify and prioritize the risks** with regard to the RGPD. This **essential step** will allow you to deduce an action **plan for the compliance** of your processing with the data protection rules.
## Which companies are affected by the obligation to complete a record?
All companies processing personal data of European citizens are concerned by the obligation to fill a register.
{% hint style="info" %}
Companies with less than 250 employees benefit from a derogation with regard to record keeping. **They are required to record only the following data processing operations**:
* Non-occasional processing (e.g. payroll management, customer/prospect and supplier management, etc.);
* processing operations likely to involve a risk to the rights and freedoms of individuals (e.g. geolocation systems, video surveillance, etc.);
* processing that involves sensitive data (e.g. health data, offenses, etc.).
In practice, **this exemption is therefore limited to very specific cases of processing**, implemented on an occasional and non-routine basis, such as a communication campaign for the opening of a new establishment, provided that such processing does not raise any risk for the data subjects. If there is any doubt as to whether this exemption applies to a processing operation, the CNIL recommends that you include it in your record.
{% endhint %}
## Content of the processing record
Article 30 of the GDPR sets out specific obligations for the *personal data controller record* and the *processor record*. If your organization acts as both a processor and a data controller, your record must therefore clearly distinguish the two categories of activities.
**In practice, in this case, the CNIL recommends that you keep 2 records:**
1. one for the processing of personal data for which you yourself are responsible,
2. another for the processing operations that you carry out, as a processor, on behalf of your clients.
### The "Data controller" record in Dastra
For each processing operation, the record of a data controller shall indicate at least:
1. where applicable, **the name and contact details** of the [joint controller](https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e3083-1-1) of the processing carried out,
2. the **purposes** of the processing, the objective for which you have collected the data,
3. the categories of **persons concerned** (customer, prospect, employee, etc.),
4. the categories of **personal data** (e.g. identity, family, economic or financial situation, banking data, connection data, location data, etc.),
5. the categories of **recipients** to whom the personal data has been or will be communicated, including the processors you use,
6. **transfers** of personal data to a third country or to an international organization and, in certain very specific cases, the guarantees provided for these transfers,
7. the **time limits for the deletion** of the various categories of data, i.e. the retention period, or failing that the criteria for determining it,
8. to the extent possible, **a general description** of the technical and organizational **security** **measures** that you implement.
A processing as controller in Dastra
#### Stakeholders
* The identity and contact information of the data controller
* The identity and contact information of the DPO if applicable
* The identity and contact information of the representative, if any
* The joint controller(s), if any
#### Purposes
* All purposes related to the activity involving the processing
#### Legal basis
* Compliance with a legal obligation
* Fulfillment of a contract
* Legitimate interest of the company or a third party
* Public interest
* Consent
* Safeguarding the vital interests of the data subject or another person
#### Inventory of data and data subjects
* Type of data subjects
* Categories of data
* Time limits for deleting data or applicable rule
#### Recipients and data transfers outside the EEA
* Identification of recipients including internal recipients (department concerned by the processing); external bodies (commercial or institutional partners); subcontractors (host, solution provider); data subject where applicable and joint managers
* For each recipient, identification of transfers outside the European Economic Area (EEA) and the legal tools used (Binding corporate rules in the case of transfers outside the EU with subsidiaries, standard contractual clauses, country recognized as adequate, etc.)
#### Security measures
* Technical and organizational measures implemented to secure each data processing
* For example, data encryption, pseudonymization, access limitation
### The "Processor" record in Dastra
Each processor is required to fill out a less extensive record.
This record contains:
* the **contact details of the processor**, its representative, if any, and its DPO
* the **contact details of all data controllers on whose behalf the processor acts** (usually the clients)
* the **categories** of data processed
* the **recipients**
* **transfers** outside the EEA
* the **security measures**
A processing as processor in Dastra
## For more information
{% content-ref url="../../features/editer-le-registre" %}
[editer-le-registre](https://doc.dastra.eu/en/features/editer-le-registre)
{% endcontent-ref %}
{% content-ref url="../../features/editer-le-registre/establish-your-record" %}
[establish-your-record](https://doc.dastra.eu/en/features/editer-le-registre/establish-your-record)
{% endcontent-ref %}
{% content-ref url="../../features/editer-le-registre/remplir-le-questionnaire" %}
[remplir-le-questionnaire](https://doc.dastra.eu/en/features/editer-le-registre/remplir-le-questionnaire)
{% endcontent-ref %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://doc.dastra.eu/en/le-rgpd-en-bref/rgpd-en-bref/registre-de-traitement.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
