Record of processing activities (ROPA)

Learn what a record of data processing activities is.

Definition of the record of processing activities

The record of data processing activities provides a clear and structured mapping of all personal data processing operations and will be the starting point for control by the Data Protection Authority.

The record is provided for in Article 30 of the GDPR. It participates in the documentation of compliance.

As an inventory and analysis document, it must reflect the reality of your personal data processing and allow you to precisely identify:

  • the stakeholders (representative, subcontractors, co-managers, etc.) involved in the data processing,

  • the categories of data processed,

  • what the data is used for (what you do with it), who accesses the data and to whom it is communicated,

  • how long you keep it,

  • how it is secured.

Why a registry?

The record is made mandatory by Article 30 of the RGPD. Beyond the response to the obligation provided for by Article 30, the record is a tool for monitoring and demonstrating your compliance with the RGPD.

It allows you to document your data processing and to ask yourself the right questions: do I really need this data for my processing? Is it relevant to keep all the data for so long? Is the data sufficiently protected? Etc.

Its creation and updating are thus an opportunity to identify and prioritize the risks with regard to the RGPD. This essential step will allow you to deduce an action plan for the compliance of your processing with the data protection rules.

Which companies are affected by the obligation to complete a record?

All companies processing personal data of European citizens are concerned by the obligation to fill a register.

Companies with less than 250 employees benefit from a derogation with regard to record keeping. They are required to record only the following data processing operations:

  • Non-occasional processing (e.g. payroll management, customer/prospect and supplier management, etc.);

  • processing operations likely to involve a risk to the rights and freedoms of individuals (e.g. geolocation systems, video surveillance, etc.);

  • processing that involves sensitive data (e.g. health data, offenses, etc.).

In practice, this exemption is therefore limited to very specific cases of processing, implemented on an occasional and non-routine basis, such as a communication campaign for the opening of a new establishment, provided that such processing does not raise any risk for the data subjects. If there is any doubt as to whether this exemption applies to a processing operation, the CNIL recommends that you include it in your record.

Content of the processing record

Article 30 of the GDPR sets out specific obligations for the personal data controller record and the processor record. If your organization acts as both a processor and a data controller, your record must therefore clearly distinguish the two categories of activities.

In practice, in this case, the CNIL recommends that you keep 2 records:

  1. one for the processing of personal data for which you yourself are responsible,

  2. another for the processing operations that you carry out, as a processor, on behalf of your clients.

The "Data controller" record in Dastra

For each processing operation, the record of a data controller shall indicate at least:

  1. where applicable, the name and contact details of the joint controller of the processing carried out,

  2. the purposes of the processing, the objective for which you have collected the data,

  3. the categories of persons concerned (customer, prospect, employee, etc.),

  4. the categories of personal data (e.g. identity, family, economic or financial situation, banking data, connection data, location data, etc.),

  5. the categories of recipients to whom the personal data has been or will be communicated, including the processors you use,

  6. transfers of personal data to a third country or to an international organization and, in certain very specific cases, the guarantees provided for these transfers,

  7. the time limits for the deletion of the various categories of data, i.e. the retention period, or failing that the criteria for determining it,

  8. to the extent possible, a general description of the technical and organizational security measures that you implement.

Stakeholders

  • The identity and contact information of the data controller

  • The identity and contact information of the DPO if applicable

  • The identity and contact information of the representative, if any

  • The joint controller(s), if any

Purposes

  • All purposes related to the activity involving the processing

  • Compliance with a legal obligation

  • Fulfillment of a contract

  • Legitimate interest of the company or a third party

  • Public interest

  • Consent

  • Safeguarding the vital interests of the data subject or another person

Inventory of data and data subjects

  • Type of data subjects

  • Categories of data

  • Time limits for deleting data or applicable rule

Recipients and data transfers outside the EEA

  • Identification of recipients including internal recipients (department concerned by the processing); external bodies (commercial or institutional partners); subcontractors (host, solution provider); data subject where applicable and joint managers

  • For each recipient, identification of transfers outside the European Economic Area (EEA) and the legal tools used (Binding corporate rules in the case of transfers outside the EU with subsidiaries, standard contractual clauses, country recognized as adequate, etc.)

Security measures

  • Technical and organizational measures implemented to secure each data processing

  • For example, data encryption, pseudonymization, access limitation

The "Processor" record in Dastra

Each processor is required to fill out a less extensive record.

This record contains:

  • the contact details of the processor, its representative, if any, and its DPO

  • the contact details of all data controllers on whose behalf the processor acts (usually the clients)

  • the categories of data processed

  • the recipients

  • transfers outside the EEA

  • the security measures

For more information

Dernière mise à jour