Record of processing activities (ROPA)

📖 Definition

The record of processing activities is the structured mapping of all personal data processing carried out within your organisation. It is the starting point for any inspection by a data protection authority and a central tool for compliance governance.

🔗 The record is required by Article 30 of the GDPR. It gives substance to the principle of accountability, or demonstrated responsibility.

It allows you to precisely identify:

• The stakeholders involved (controller, processor, joint controllers, representatives)

• The categories of data collected

• The purposes of the processing

• The recipients and transfers

• The retention periods

• The security measures implemented

🎯 Why maintain a record?

The record is mandatory (Article 30 of the GDPR). But beyond the regulatory obligation, it becomes a genuine management tool, enabling you to:

• Document your processing activities to prove your compliance,

• Identify and prioritise risks,

• Optimise your retention periods,

• Rationalise your processing and delete unnecessary data,

• Prepare your GDPR audits and DPIAs.

👥 Who is affected?

All organisations processing personal data of European residents are concerned. However, a derogation exists for organisations with fewer than 250 employees.

🧱 Two records to distinguish

Depending on your role, you must maintain:

1. a data controller record,

2. a data processor record.

The same organisation may hold both: for example, a SaaS company managing its own HR data (controller) and its clients' data (processor).

🧭 The data controller record (in Dastra)

For each processing activity, the record must contain at minimum:

1. The name and contact details of the controller or joint controller

2. The purposes of the processing

3. The categories of data subjects (customers, prospects, employees, etc.)

4. The categories of data (identity, finances, location, etc.)

5. The recipients (internal, processors, partners)

6. Transfers outside the EEA, with the associated safeguards (SCCs, BCRs, etc.)

7. The retention periods or criteria for determining them

8. A general description of security measures

👤 Stakeholders

• Data controller

• DPO or compliance contact

• Representative if applicable

• Joint controllers or partners

🎯 Purposes

All purposes linked to an activity (e.g. contract management, recruitment tracking, marketing, etc.).

⚖️ Legal bases

• Performance of a contract

• Legal obligation

• Legitimate interests

• Public interest

• Consent

• Protection of vital interests

🧩 Data and data subjects

• Type of data subjects (customers, employees, visitors…)

• Categories of data collected

• Retention periods or applicable rules

🌍 Recipients and transfers outside the EEA

• Internal departments concerned

• Processors, service providers or external partners

• Joint controllers or data subjects

• International transfers: identification of countries and legal tools (SCCs, BCRs, adequacy decision…)

🔐 Security measures

• Technical measures (encryption, pseudonymisation, backups)

• Organisational measures (access management, training, internal policy)

🤝 The data processor record

Processors must also maintain a record, more concise, listing:

• The contact details of the processor, DPO and representative if applicable

• The contact details of the data controller clients

• The categories of data processed

• The categories of recipients

• Transfers outside the EEA and associated safeguards

• The security measures applied

🤖 The AI systems register

With the entry into force of the AI Act, organisations will also need to document their artificial intelligence systems according to their risk level. Dastra already integrates an AI systems register to:

• Link each AI system to its processing activities,

• Describe the purposes, models used and training data,

• Assess risks and control measures,

• Track AI Act and GDPR compliance in a single space.

📘 Go further