GDPR Article 30: Records of Processing Activities (ROPA) — Complete Guide
A ROPA is a written register of everything your organisation does with personal data. Every EU business likely needs one — and a supervisory authority can demand it at any time.
What is a ROPA?
A Record of Processing Activities (ROPA, sometimes called a “data processing register”) is a living document that catalogues every way your organisation handles personal data. Think of it as an inventory: for each activity, you record what data you collect, why, who you share it with, and how long you keep it.
GDPR Article 30 makes it a legal requirement for most organisations. Supervisory authorities — the national data protection regulators — can request it during an audit or investigation. Not having one is itself a GDPR violation, separate from any other issues they might find.
Who needs a ROPA?
Article 30(5) says organisations with fewer than 250 employees are exempt — but only if their processing is:
- Not likely to result in a risk to the rights and freedoms of data subjects,
- Only occasional (not regular or systematic), and
- Does not include special categories of data (health, biometric, political opinions, etc.) or criminal record data.
In practice, virtually every business with a website needs a ROPA. Running Google Analytics is “systematic” processing. Sending a newsletter is “regular”. Using a CRM makes data processing a core business activity. The exemption is narrow.
What must a ROPA contain?
Article 30(1) sets out the minimum contents for data controllers:
| Field | Example |
|---|---|
| Name and contact details of the controller | Acme Ltd., Berlin — privacy@acme.com |
| Purposes of the processing | Email marketing, website analytics, order fulfilment |
| Categories of data subjects | Website visitors, customers, newsletter subscribers |
| Categories of personal data | Email address, IP address, name, purchase history |
| Recipients (incl. third parties) | Mailchimp, Google Analytics, Stripe |
| Transfers to third countries | Google Analytics → US, Standard Contractual Clauses |
| Retention periods | 3 years after last purchase, 30 days for server logs |
| Security measures (where possible) | Encryption at rest, TLS in transit, access controls |
How to build your ROPA: step by step
1. Map every processing activity
Start by listing everything your organisation does that involves personal data. Common activities for a typical website:
- Website analytics — IP addresses, device data, browsing behaviour via Google Analytics or similar
- Email marketing — subscriber names and email addresses via Mailchimp, ConvertKit, etc.
- Contact/enquiry forms — name, email, and message content
- E-commerce / order processing — name, address, payment details
- Customer support — email threads, ticket history
- Advertising pixels — Meta Pixel, Google Ads — behavioural data for retargeting
2. Identify the legal basis for each
For each activity, you need to document which of the six GDPR lawful bases you rely on:
- Consent (Art. 6(1)(a)) — email marketing with an opt-in checkbox
- Contract (Art. 6(1)(b)) — processing an order
- Legal obligation (Art. 6(1)(c)) — tax record-keeping
- Legitimate interests (Art. 6(1)(f)) — basic website analytics (must be documented with a Legitimate Interest Assessment)
3. Document recipients and third-country transfers
If you use US-based tools (Google, Mailchimp, Stripe, HubSpot), you have third-country transfers. You need to document the safeguard mechanism used — almost always Standard Contractual Clauses (SCCs). Check each vendor's data processing addendum for confirmation.
4. Set retention periods
For each category of data, define how long you keep it and why. Common retention periods:
- Server/access logs: 30–90 days
- Customer account data: for the duration of the relationship + 3–7 years (for contract/legal claims)
- Email marketing data: until unsubscribed + 30 days
- Financial/invoice records: 7–10 years (legal obligation)
5. Keep it updated
A ROPA is a living document. Review it whenever you:
- Add a new tool that processes personal data
- Change your marketing or analytics stack
- Launch a new product feature that collects new data types
- Change your retention policy
At minimum, review it annually.
Real fines for missing or inadequate ROPA
Supervisory authorities increasingly check for ROPA compliance during audits:
- The Austrian DSB fined a company for failing to maintain records as required by Article 30.
- Several German DPAs have used the absence of a ROPA as an aggravating factor when calculating fines for other violations.
- The Italian Garante has explicitly cited inadequate processing records when issuing enforcement notices.
Build your ROPA in minutes
fixGDPR's ROPA Generator walks you through every required field with a guided form. It automatically suggests recipients based on your compliance scan results — if your site loads Google Analytics, we pre-fill it as a recipient with the correct legal basis. Export to PDF when done.
Generate your ROPA now
Takes under 10 minutes. Covers all Article 30 requirements. Export to PDF for your files.
Open ROPA Generator →