# Record of processing activities (ROPA) ### πŸ“– Definition The **record of processing activities** is the **structured mapping of all personal data processing** carried out within your organisation. It is the **starting point for any inspection** by a data protection authority and a **central tool for compliance governance**. > πŸ”— The record is required by [Article 30 of the GDPR](https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e3265-1-1). It gives substance to the principle of **accountability**, or demonstrated responsibility. It allows you to precisely identify: * The **stakeholders** involved (controller, processor, joint controllers, representatives) * The **categories of data** collected * The **purposes** of the processing * The **recipients and transfers** * The **retention periods** * The **security measures** implemented *** ### 🎯 Why maintain a record? The record is **mandatory** (Article 30 of the GDPR). But beyond the regulatory obligation, it becomes a **genuine management tool**, enabling you to: * Document your processing activities to **prove your compliance**, * Identify and **prioritise risks**, * **Optimise your retention periods**, * **Rationalise your processing** and delete unnecessary data, * Prepare your **GDPR audits** and **DPIAs**. {% hint style="success" %} πŸ’‘ The record is not an administrative formality: it is the **key to effective governance** of your data and internal processes. {% endhint %} *** ### πŸ‘₯ Who is affected? All organisations processing personal data of European residents are concerned. However, a **derogation** exists for organisations with fewer than 250 employees. {% hint style="info" %} SMEs must nevertheless include in their record all processing that is: * non-occasional (e.g. HR management, payroll, customers, suppliers), * likely to pose **risks to individuals** (CCTV, geolocation, etc.), * or involving **sensitive data** (health, criminal offences, political opinions). ➑️ In practice, **most organisations** are affected. Data protection authorities recommend maintaining a record **in all cases**. {% endhint %} *** ### 🧱 Two records to distinguish Depending on your role, you must maintain: 1. a **data controller record**, 2. a **data processor record**. > The same organisation may hold both: for example, a SaaS company managing its own HR data (controller) and its clients' data (processor). *** ### 🧭 The data controller record (in Dastra) For each processing activity, the record must contain at minimum: 1. The **name and contact details** of the controller or joint controller 2. The **purposes** of the processing 3. The **categories of data subjects** (customers, prospects, employees, etc.) 4. The **categories of data** (identity, finances, location, etc.) 5. The **recipients** (internal, processors, partners) 6. **Transfers outside the EEA**, with the associated safeguards (SCCs, BCRs, etc.) 7. The **retention periods** or criteria for determining them 8. A **general description of security measures** #### πŸ‘€ Stakeholders * Data controller * DPO or compliance contact * Representative if applicable * Joint controllers or partners #### 🎯 Purposes All purposes linked to an activity (e.g. contract management, recruitment tracking, marketing, etc.). #### βš–οΈ Legal bases * Performance of a contract * Legal obligation * Legitimate interests * Public interest * Consent * Protection of vital interests #### 🧩 Data and data subjects * Type of data subjects (customers, employees, visitors…) * Categories of data collected * Retention periods or applicable rules #### 🌍 Recipients and transfers outside the EEA * Internal departments concerned * Processors, service providers or external partners * Joint controllers or data subjects * International transfers: identification of countries and legal tools (SCCs, BCRs, adequacy decision…) #### πŸ” Security measures * Technical measures (encryption, pseudonymisation, backups) * Organisational measures (access management, training, internal policy) *** ### 🀝 The data processor record Processors must also maintain a record, more concise, listing: * The contact details of the processor, DPO and representative if applicable * The contact details of the **data controller clients** * The **categories of data** processed * The **categories of recipients** * **Transfers outside the EEA** and associated safeguards * The **security measures** applied ### πŸ€– The AI systems register With the entry into force of the **AI Act**, organisations will also need to document their **artificial intelligence systems** according to their risk level. Dastra already integrates an **AI systems register** to: * Link each AI system to its processing activities, * Describe the purposes, models used and training data, * Assess risks and control measures, * Track AI Act and GDPR compliance in a single space. *** ### πŸ“˜ Go further {% content-ref url="/pages/-LvM7KI26TZ\_CxoNeipO" %} [Record of processing activities](/en/features/editer-le-registre.md) {% endcontent-ref %} {% content-ref url="/pages/4TOVCUQ6y1fnuq8YaZiH" %} [Establish your record](/en/features/editer-le-registre/establish-your-record.md) {% endcontent-ref %} *** {% hint style="success" %} πŸ’‘ **Good practice:** Update your record **with each new processing activity** and **every major change** (new purpose, new provider, new transfer, etc.). Dastra can automatically notify you when a record needs reviewing. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://doc.dastra.eu/en/useful-reminders/gdpr-key-concepts/record-of-processing-activities.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.