A Records of Processing Activities (RoPA) is the central inventory of how your company processes personal data. Article 30 of GDPR makes it mandatory for most organisations, and it is typically the first document a supervisory authority requests during an investigation or audit.
This guide explains what a RoPA must contain, who needs one, and provides a template you can use immediately.
Who Needs a RoPA
Article 30 applies to controllers and processors with 250 or more employees — but the exemption for smaller organisations is narrow. You must maintain a RoPA regardless of size if any of the following apply:
- Processing is likely to result in a risk to the rights and freedoms of data subjects
- Processing is not occasional (i.e., it happens regularly, not as a one-off)
- Processing includes special category data (health, biometric, ethnic origin, etc.)
- Processing includes personal data relating to criminal convictions
For virtually every SaaS company, processing is not occasional — it happens continuously as users interact with your product. The exemption rarely applies.
Conclusion for most SaaS: You need a RoPA regardless of headcount.
What a Controller RoPA Must Contain
For each processing activity you control, Article 30(1) requires you to record:
| Field | What to include |
|---|---|
| Controller identity | Name and contact details of the controller (and any joint controllers) |
| DPO contact | If you have a DPO, their contact details |
| Purpose of processing | Why you are processing this data |
| Description of data subjects | Who the data is about (customers, employees, prospects, etc.) |
| Categories of personal data | What types of data (names, emails, payment data, usage logs, etc.) |
| Categories of recipients | Who you share the data with (including sub-processors) |
| International transfers | Any transfers to countries outside the EU/EEA and the transfer mechanism |
| Retention period | How long you keep the data, or the criteria for deletion |
| Security measures | A general description of your technical and organisational security measures |
What a Processor RoPA Must Contain
If you process data on behalf of customers (as a processor), Article 30(2) requires a separate record for each controller you process for:
| Field | What to include |
|---|---|
| Processor identity | Name and contact details |
| Controller identity | Name and contact of each controller you process for |
| DPO contacts | If applicable |
| Categories of processing | Types of processing carried out for each controller |
| International transfers | Any transfers outside the EU/EEA and the mechanism |
| Security measures | General description of security measures |
As a SaaS company, you typically need both a controller record (for data you collect for your own purposes) and processor records (for data you process on behalf of customers).
Controller RoPA Template
Copy this table structure for each processing activity:
Processing Activity: [Name — e.g., "User Account Management"]
| Field | Detail |
|---|---|
| Purpose | To create and manage user accounts and provide access to the platform |
| Lawful basis | Article 6(1)(b) — performance of a contract |
| Data subjects | Registered users of the platform |
| Personal data categories | Name, email address, job title, company, password hash, account preferences |
| Special categories | None |
| Data sources | Direct from data subject at registration |
| Recipients | AWS (infrastructure, data processor), Postmark (email delivery, data processor) |
| International transfers | US — AWS (SCCs executed), Postmark (SCCs executed) |
| Retention period | Duration of account plus 30 days after account deletion |
| Security measures | See TOMs annex |
Processing Activity: [Name — e.g., "Marketing and Lead Generation"]
| Field | Detail |
|---|---|
| Purpose | To send marketing communications and manage prospects |
| Lawful basis | Article 6(1)(a) — consent (for marketing emails); Article 6(1)(f) — legitimate interests (for B2B prospect contact) |
| Data subjects | Marketing subscribers; sales prospects |
| Personal data categories | Name, business email, company name, job title, marketing engagement data |
| Special categories | None |
| Data sources | Sign-up forms, LinkedIn (legitimate interest outreach), third-party data providers |
| Recipients | HubSpot (CRM, data processor), Mailchimp (email, data processor) |
| International transfers | US — HubSpot (SCCs executed), Mailchimp (SCCs executed) |
| Retention period | Active: duration of relationship + 1 year. Unsubscribed: suppression list retained indefinitely (to honour opt-out) |
| Security measures | See TOMs annex |
Processing Activity: [Name — e.g., "Customer Support"]
| Field | Detail |
|---|---|
| Purpose | To respond to customer support requests and resolve technical issues |
| Lawful basis | Article 6(1)(b) — performance of a contract |
| Data subjects | Paying customers and their authorised users |
| Personal data categories | Name, email, support conversation content, account information, any personal data contained in support tickets |
| Special categories | Potentially — if tickets include health or other special category data |
| Data sources | Direct from data subjects via support channel |
| Recipients | Intercom (support platform, data processor) |
| International transfers | US — Intercom (SCCs executed) |
| Retention period | 3 years from last support interaction |
| Security measures | See TOMs annex |
Processing Activity: [Name — e.g., "Product Analytics"]
| Field | Detail |
|---|---|
| Purpose | To understand product usage and improve the service |
| Lawful basis | Article 6(1)(f) — legitimate interests (improving the service for users) |
| Legitimate interests assessment | On file |
| Data subjects | Registered users |
| Personal data categories | User ID, feature usage events, session data, device and browser information |
| Special categories | None |
| Data sources | Automatically collected during product use |
| Recipients | Mixpanel (analytics, data processor) |
| International transfers | US — Mixpanel (SCCs executed) |
| Retention period | 24 months rolling |
| Security measures | See TOMs annex |
Common Processing Activities to Include
Most SaaS companies should have RoPA entries for at least:
- User account management
- Product/service delivery
- Customer billing and payment processing
- Marketing and lead generation
- Customer support
- Product analytics
- Security and fraud prevention
- HR and payroll (if you have employees)
- Recruitment
- Business operations (finance, legal)
- Website visitors / cookies
Maintaining the RoPA
The RoPA is not a one-time document. Update it when:
- You add a new product feature that processes personal data
- You onboard a new sub-processor or change vendors
- You change a retention period or deletion process
- You expand to a new jurisdiction with different data flows
- You collect a new category of personal data
Assigning RoPA maintenance to a named person (your data protection lead or CTO) and reviewing it quarterly is standard practice.