GDPR

GDPR Records of Processing Activities (RoPA): Full Template

5 min readUpdated 27 May 2026

The Records of Processing Activities (RoPA) is the central document of GDPR compliance. It is required under Article 30. It is the first thing a supervisory authority will request during an investigation. Without it, you cannot demonstrate compliance — and you almost certainly cannot respond to a data breach, handle a DSAR, or conduct a DPIA properly.

This article covers what a RoPA must contain and provides a complete template.

Who Must Maintain a RoPA?

Controllers: Every organisation that determines the purposes and means of processing personal data must maintain a controller RoPA. This means virtually every company that handles personal data.

Exception for small organisations: The regulation includes an exemption for organisations with fewer than 250 employees, unless:

  • Processing is not occasional (i.e., ongoing, regular processing)
  • Processing is likely to result in risk to individuals
  • Processing includes special category data or criminal offence data

In practice, almost every company engaged in regular commercial processing (customers, employees, marketing, HR) does not qualify for the exemption. Maintain a RoPA regardless.

Processors: Data processors (companies processing data on behalf of controllers — most SaaS vendors) must also maintain a processor RoPA.

What a Controller RoPA Must Include

Article 30(1) requires the following elements for each processing activity:

  1. Name and contact details of the controller Your organisation name, address, and DPO contact (if applicable)

  2. Purposes of the processing Why you are processing this data. Each distinct purpose should be a separate entry or clearly separated.

  3. Categories of data subjects Who the data is about: customers, employees, website visitors, suppliers, etc.

  4. Categories of personal data What data is processed: names, email addresses, transaction data, health data, location data, etc.

  5. Categories of recipients Who you share the data with: payment processors, marketing platforms, HR systems, cloud providers, etc.

  6. Transfers to third countries If personal data is transferred outside the EEA, identify the countries and the transfer mechanism used.

  7. Retention periods How long each category of data is kept, or the criteria used to determine when it is deleted.

  8. Security measures (where possible) A general description of the technical and organisational security measures in place.

RoPA Template

RECORDS OF PROCESSING ACTIVITIES
[Company Name] | Data Controller
Last reviewed: [date]

─────────────────────────────────────────────────────────

PROCESSING ACTIVITY: Customer Account Management

Purpose:
  Managing customer accounts, delivering the contracted service

Legal basis (Article 6):
  Contract performance (6(1)(b))

Data subjects:
  Customers and authorised users of the service

Personal data categories:
  Name, email address, company name, role, login credentials,
  usage logs, billing address

Recipients:
  Internal: Customer success, support, finance teams
  External: Cloud hosting (AWS, eu-west), support platform (Intercom),
  payment processor (Stripe)

International transfers:
  Intercom (US) — Standard Contractual Clauses
  Stripe (US) — Standard Contractual Clauses + DPF certified

Retention period:
  Account data: Duration of contract + 2 years
  Billing records: 7 years (legal obligation)

Security measures:
  Encryption in transit (TLS 1.2+), encryption at rest (AES-256),
  access controls (role-based), MFA for admin access

─────────────────────────────────────────────────────────

PROCESSING ACTIVITY: Marketing Communications

Purpose:
  Sending marketing emails and product updates to customers and prospects

Legal basis (Article 6):
  Legitimate interest (existing customers) / Consent (prospects)

Legitimate interest documented: [Yes/No — link to LIA]

Data subjects:
  Customers and opted-in prospects

Personal data categories:
  Name, email address, company name, marketing preferences, email
  engagement data (opens, clicks)

Recipients:
  Marketing platform (HubSpot, US) — SCCs

International transfers:
  HubSpot (US) — Standard Contractual Clauses

Retention period:
  Active subscribers: Duration of subscription
  Opted-out contacts: Suppression list retained indefinitely (to
  prevent re-marketing)

Security measures:
  Data held with marketing platform, access limited to marketing team,
  opt-out mechanism in all marketing emails

─────────────────────────────────────────────────────────

PROCESSING ACTIVITY: Employee Records

Purpose:
  Payroll, HR management, compliance with employment law obligations

Legal basis (Article 6):
  Contract performance (6(1)(b)) + Legal obligation (6(1)(c))

Data subjects:
  Employees and contractors

Personal data categories:
  Name, address, date of birth, national insurance number, salary,
  bank account, employment terms, performance records, absence records

Special category data:
  Health data (absence, occupational health) — basis: legal obligation
  under employment law

Recipients:
  Payroll provider, pension provider, HMRC / tax authority

International transfers:
  None currently

Retention period:
  Employment records: 6 years post-employment
  Payroll and tax records: 6 years

Security measures:
  HR system access limited to HR and finance, payroll system with MFA,
  encrypted storage

─────────────────────────────────────────────────────────

Add one section per distinct processing activity.

Processor RoPA

If you are a data processor (processing on behalf of controller customers), your Article 30(2) RoPA must include:

  • Your name and contact details
  • For each controller customer: the controller's name and contact details
  • Categories of processing activities carried out for each controller
  • Information about transfers to third countries
  • Security measures

How Often to Review

Review the RoPA:

  • Annually (minimum)
  • When you launch a new product or processing activity
  • When you onboard a new significant data vendor
  • After a data breach or incident

A RoPA that has not been reviewed in 24 months is very likely inaccurate.

ComplyOne generates your GDPR documentation — RoPA, DPA, privacy notices, and gap assessment — in one workflow.

Run your GDPR gap check →

Related guides

Do You Need a DPO? GDPR Decision Tree for SMEs

Most SaaS companies don't need a Data Protection Officer — but the mandatory appointment criteria are broader than many founders realise. This guide explains when a DPO is required, what the role involves, and what to do instead.

GDPR Article 28 Explained for Startup Founders

Article 28 governs controller-processor relationships under GDPR. This guide explains what a Data Processing Agreement must contain, who needs one, and the common mistakes that cause compliance failures in enterprise deals.

GDPR Cookie Compliance in Germany (2026 Guide)

Germany has the strictest cookie compliance requirements in the EU. This guide covers the GDPR and TTDSG framework, what valid consent looks like, cookie banner requirements, and practical steps to comply.

View all guides in this module