What is a RoPA and do I need one?
According to Article 30 of the GDPR, each controller is obliged to maintain a record of processing activities under its responsibility (RoPA).
Each processor is obliged to maintain a record of all categories of processing activities carried out on behalf of a controller. That means that e.g., a US-based service also needs a RoPA when carrying out processing activities on behalf of a controller.
RoPA is a mandatory documentation on a company’s processing activities that must be provided upon request of the data protection authority.
What does a RoPA include?
A RoPA must contain certain information. The legal requirements for the content of the RoPA are very limited. In practice, most companies voluntarily include additional information because the mandatory information is not sufficient to create a useful data protection structure for the company.
Mandatory content of the RoPA by the controller
The RoPA by the controller must contain the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer
- the purposes of the processing
- a description of the categories of data subjects and of the categories of personal data
- a description of the categories of personal data
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations
- transfers of personal data to a third country or an international organization
- the envisaged time limits for erasure of the different categories of data
- a general description of the technical and organizational security measures
Mandatory content of the RoPA by the processor
The RoPA by the processor must contain the following information:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer
- the categories of processing carried out on behalf of each controller
- transfers of personal data to a third country or an international organization
- a general description of the technical and organizational security measures
Additional information
The RoPA provides the basis for fulfilling the information obligations and the rights of data subjects to access their personal data. All documents that may be required in connection with data protection will be based on the information in the RoPA.
Georgine Berger
“The RoPA is intended to contain all the information necessary to fulfill the obligations under Articles 13, 14, and 15 of the GDPR. Therefore, it is highly recommended to include more information rather than less.”
The following points shall outline additional information that is advisable to include in the RoPA:
Peter Harlander
“It makes sense to store the data processing agreements together with the RoPA, so that they are immediately available when needed.”
Maintenance of the RoPA
There are no legal requirements for how to maintain a RoPA. The way the RoPA is maintained depends on its complexity. Simple processing records can be kept in an Excel sheet or other spreadsheet while more complex RoPAs are maintained in specialized software.
What is the penalty for not having a RoPA?
Failure to maintain a record of processing activities or providing incomplete or inaccurate information in the record can result in an administrative fine of up to €10 million or 2% of the company’s global annual revenue of the previous financial year, whichever is higher.
FAQs
What is the difference between the controller and the processor?
The controller is the entity that determines the purposes and means of the processing of personal data. They have the primary responsibility for complying with the GDPR’s requirements. The controller exercises overall control over the personal data and is accountable for ensuring that data processing activities are lawful and in line with individuals’ rights.
The processor is an entity that processes personal data on behalf of the controller. Processors act on the instructions of the controller and are engaged by the controller to perform specific processing activities. Processors have limited responsibilities compared to controllers, and they must follow the controller’s instructions regarding data processing.
Yes, each processor needs to maintain a RoPA of all categories of processing activities carried out on behalf of controller.
Do I need to include every individual processing activity in the RoPA?
No, it is not necessary to list every single processing activity in detail within the RoPA. The GDPR does not require an excessively detailed enumeration of each individual process.
The RoPA should provide an overview of the nature of processing activities and include relevant information to ensure compliance with data protection principles and obligations, such as the purpose of the processing activities, the categories of data processed, the categories of data subjects, the recipients to whom the personal data may be disclosed, the retention periods for the different categories of data, intentional transfers to third countries, and a description of the technical and organizational measures in place to protect data.
What happens if I do not maintain a RoPA although it is required under the GDPR?
Failure to maintain a record of processing activities or providing incomplete or inaccurate information in the record can result in an administrative fine of up to €10 million or 2% of the company’s global annual revenue of the previous financial year, whichever is higher.
In addition, failing to meet the GDPR requirements, including maintain a RoPA, can harm an organization’s reputation. Public perception of an organization’s commitment to data protection and privacy may suffer, affecting customer trust and relationships.
That depends very much on the organization. The RoPA should present an overview of the data processing flows. A RoPA can be 5 pages, 500 pages or even longer.
As a company outside the EEA, do I also have to maintain a RoPA?
Yes, if a company outside the EEA processes personal data of data subjects who are in the EU, then this company must maintain a RoPA if the processing activities relate to the offering of goods or services or the monitoring of the behavior of data subjects in the EU.
Why does it make sense to put additional information in the RoPA beyond the mandatory requirements?
The RoPA is intended to contain all information that helps fulfilling data subjects’ rights such as the right to information and access to personal data. It is easier to fulfill those rights if you have an organized RoPA with a certain degree of detail.
