Record of Processing Activities (RoPA)

The record of processing activities allows you to make an inventory of the data processing and to have an overview of what you are doing with the concerned personal data.

The recording obligation is stated by article 30 of the GDPR. It is a tool to help you to be compliant with the Regulation.

The record is a document with inventory and analysis purposes, which must reflect the reality of your personal data processing and allow you to precisely identify, among others:

  • The actors involved (controller, processors, representative, joint controller, etc.) in the data processing
  • The categories of data processed
  • The purpose of the processing (what you do with the collected personal data)
  • who has access and who are the recipients of the personal data
  • For how long you are retaining the personal data.
  • The technical and organizational security measures implemented.

Aside from being an obligation settled up by article 30 of the GDPR, the record is an intern control tool and, as mentioned above, a way to demonstrate your compliance with GDPR. It allows you to document your data processing and to know what questions you must ask yourself before and while processing the data: do I really need a certain data for this specific processing? Is it relevant to retain all this data for so long? Are the data sufficiently protected?

Creating and updating the record are occasions to identify and to hierarchize the processing risks in light of the GDPR.This essential step will allow you to delineate an action plan of your processing complying with data protection rules.

The CNIL introduces here the main elements related to the record and also proposes a record template meeting the conditions settled up by the GDPR.

Who is concerned by the obligation?

The duty to maintain a record of processing concerns, in principle, all entities, both private and public, regardless of their size, provided they process personal data.

What does the record include?

The controller’s record must make an inventory of all the processing implemented by your organism.

In practice, a record form must be introduced for each of these activities.

This record must incorporate the name and the contact details of your organism, as well as, if necessary, details about your representative, if your organism is not established in the European Union, and finally, details about your Data Protection Officer if you have one.

Furthermore, for each processing activity, the record’s note must include at least the following details:

  • If necessary, the name and contact details of the processing supervisor.
  • The processing’s aim, the reason why you have collected these data.
  • The category of personal data (e.g.: identity, familial, economic and financial situation, banking data, connection data, localization data, etc.)
  • The category of recipient personal data are sent to or will be sent to, including the processor you resort to Personal data transfers to another country or to an international organization, and, in some specific cases, the guarantee provided for these transfers.
  • The period provided for the erasure of several data categories, in other words the preservation length, or the criterion allowing to determine this length.
  • Insofar as possible, a general account of technical and organization security measures you will implement.

What form must take the record?

The GDPR only requires a written form for the record. The record format can be chosen freely, and it can be created on paper or numerically.

  • To make the holding of the record easier, the CNIL offers a record base model (format ODS), in order to answer to the most frequent needs in terms of data processing, in particular for small organizations (very small firms, small and average-size firms, societies, small communities, etc.)
  • They allow to satisfy the requirements of the article 30 of GDPR. The CNIL recommends, insofar as possible, to complete the additional mentions record, in order to make it a more global complying tool.

Who must keep this record?

The record must be held by controllers or processors themselves. Thereby, they can have an overview on all activities of personal data processing they operate.

Someone in the organism can be specifically charged with the record. If the organism has been designating a data protection officer (DPO), internal or external, this one can be in charge of the record. The record can be one of the tools allowing the data protection officer to fulfil his complying support mission to the GDPR and his task of informing and advising the controller and processor.

  • Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.

    • That record shall contain all of the following information:

    • the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer
    • the purposes of the processing
    • A description of the categories of data subjects and of the categories of personal data
    • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations
    • Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards
    • Where possible, the envisaged time limits for erasure of the different categories of data
    • Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
    • Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
    • The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer
    • The categories of processing carried out on behalf of each controller
    • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards
    • where possible, a general description of the technical and organisational security measures referred to in Article 32(1)
  • The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
  • The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.
  • The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.