ROPA Generator
Generate your Records of Processing Activities in minutes. Required under GDPR Article 30 — make it available to regulators on request.
Article 30 compliant
Covers all required fields: purposes, legal bases, recipients, retention periods, and third-country transfers.
Pre-filled from your scan
Third-party recipients (analytics, ads, CRM tools) are automatically suggested from your compliance scan results.
Under 10 minutes
Guided form with smart defaults. Add as many processing activities as you need.
PDF export
Export a print-ready document to share with your DPO, legal team, or a supervisory authority.
Example — ROPA extract
| Activity | Legal basis | Data collected | Retention |
|---|---|---|---|
| 📧 Email marketing | Consent | Email address, name | 3 years |
| 📊 Website analytics | Legitimate interests | IP address, cookies, browsing behaviour | 3 years |
| 💬 Customer support | Contract | Name, email, message content | 3 years |
| 💳 Order processing | Contract | Name, address, payment information | 3 years |
Pro tool
The ROPA Generator is available on Pro and Agency plans. Upgrade to build, edit, and export your Article 30 records.
Upgrade to ProIncludes DPA generator, full fix details, API access & more
Frequently asked questions
Who needs a ROPA?
All organisations with 250+ employees must keep one. Smaller organisations are also required if processing is ongoing, risky, or involves special categories of data (health, biometric, political opinions, etc.).
What must a ROPA include?
Under GDPR Art. 30: controller identity, purposes of processing, categories of data subjects and personal data, recipients, third-country transfers (including the safeguard mechanism used), and retention periods.
How often should I update it?
Whenever you start a new processing activity, change a tool that handles personal data, or your retention policy changes. A practical approach is to review it quarterly.
Can a regulator demand my ROPA?
Yes. Supervisory authorities can request it at any time during an investigation or routine audit. Not having one is itself a GDPR violation.
Is this document legally binding?
The ROPA itself is an internal record — not a contract. It's a compliance document you maintain for your own organisation. Always have it reviewed by a qualified lawyer for high-risk processing.
Check your full site for GDPR issues
21 automated checks across GDPR, CCPA & LGPD. Results in 30 seconds, no account required.
Scan my site free