Register of processing activities (ROPA) simply explained - with guide & checklist

What is a Record of Processing Activities (ROPA)?

The General Data Protection Regulation (GDPR) requires companies and organisations to keep a record of processing activities (Article 30 GDPR). Prior to the GDPR, German data protection law already provided for the obligation to keep a record of processing activities in the old Federal Data Protection Act (BDSG). Many companies obliged by Art. 30 GDPR were able to build on this when implementing the GDPR and further develop an existing register.

The so-called ROPA is an important component of any data protection management system (DPMS). A properly structured and maintained register enables companies and organisations to monitor, control and verify the lawfulness of the processing of personal data for which they are responsible. This allows any associated risks to be assessed and any need for action to be identified and implemented in an appropriate manner.

The purpose of Art. 30 GDPR is, on the one hand, to take into account the principle of accountability under Art. 5 para. 2 GDPR and Art. 24 para. 1 GDPR, to which every data controller is subject. A properly managed ROPA enables data controllers to fulfil numerous data protection obligations in a legally compliant and more efficient manner. This includes, in particular, simplified responses to requests from data subjects or simplified and structured access to relevant information when conducting a data protection impact assessment.

Data protection supervisory authorities can also perform their supervisory tasks more effectively through the mandatory maintenance of a ROPA and the resulting transparency regarding the processing of personal data by controllers and processors.

Who is required to conduct a ROPA?

Art. 30 GDPR sets out the basic obligation of controllers and processors to create and maintain a record of the processing activities of personal data. The ROPA provisions for controllers are set out in Art. 30 para. 1 GDPR, while the provisions for processors can be found in Art. 30 (2) GDPR.

Controllers within the meaning of Art. 4 No. 7 GDPR are natural or legal persons, public authorities, agencies or other bodies which alone or jointly with others determine the purposes and means of the processing of personal data.

According to Art. 4 No. 8 GDPR, processors are natural or legal persons, public authorities, institutions or other bodies that process personal data on behalf of the respective controller and in accordance with the controller's instructions, whereby the controller determines the means and purposes of the processing. The processor does not have the authority to decide on the purposes and means of processing and does not pursue its own business purposes with the processing; examples include cloud providers and call centres.

According to Art. 4 No. 1 GDPR, personal data is information relating to an identified or identifiable natural person (hereinafter "data subject"). This includes primarily the name and address, but also the IP address of a data subject.

When are you exempt from the ROPA obligation?

Companies or organisations with fewer than 250 employees are exempt from the basic obligation to conduct a ROPA under Art. 30 para. 5 GDPR.

However, this does not apply if companies or organisations with fewer than 250 employees carry out processing that either

1. poses a risk to the rights and freedoms of data subjects (e.g. scoring or monitoring activities),
2. is not occasional (e.g. regular processing of customer data) or
3. involves the processing of special categories of data pursuant to Art. 9 para. 1 GDPR (e.g. religious or health data) or personal data relating to criminal convictions and offences within the meaning of Art. 10 GDPR.

However, since almost all companies or organisations process personal data regularly and not only occasionally, the exception of Art. 30 para. 5 GDPR is almost never relevant in practice. As a rule, there is at least personnel or customer management, which includes keeping personnel files, managing a customer database or sending out newsletters. This means that there is always a regular processing of personal data; in practice, for example, many self-employed people, tradespeople and medical practices are also obliged to keep a ROPA. In most cases, the provisions of Art. 30 para. 5 GDPR will not apply.

What are the penalties for missing or incomplete ROPA?

Violation of the obligation to maintain a ROPA constitutes an administrative offence under Art. 83 para. 4 lit. a GDPR and is therefore punishable by a fine. The provision allows the competent authorities to impose fines of up to €10 million; in the case of a company, the fine may even amount to up to 2% of the total worldwide annual turnover of the previous year. The maximum amounts set out in Art. 83 para. 4 GDPR are to be understood alternatively, in which case the higher amount applies.

How do I start creating a ROPA?

In the following, we will focus on the requirements that a ROPA places on a controller (Art. 30(1) GDPR). According to Art. 24 para. 1 GDPR, the controller is obliged to implement organisational measures to ensure and demonstrate that the processing by the processor is carried out in accordance with the GDPR; this includes appropriate instructions. Due to this obligation to follow instructions, the requirements of the ROPA for processors pursuant to Art. 30 (2) GDPR only apply in a reduced form.

What mandatory information must be included in a ROPA?

The (minimum) mandatory contents of a ROPA are conclusively regulated in the GDPR. The controller is free to include additional information in an appropriate place for further internal structuring.

Art. 30 para. 1 sentence 2 GDPR requires the controller to provide the following information:

• Purposes of the processing
• Categories of data subjects (e.g. employees, applicants, customers, patients, minors)
• Categories of personal data (e.g. contact data, address data, sales data), in particular whether they are special categories (e.g. health data)
• Categories of recipients of the personal data (e.g. for payroll accounting: banks, social security organisations, tax office)
• Indication of the third country or international organisation in case of transfer to non-EU countries, including, if applicable, adequate guarantees of an equivalent level of data protection
• Deletion periods, also taking into account retention obligations
• Description of technical and organisational measures (TOM) and/or reference to existing security concept with TOM

In what form and language must the ROPA be kept?

The ROPA must be kept in writing. This can also be done in an electronic format, such as specialised data protection management software or an Excel spreadsheet (Art. 30 (3) GDPR). Data subjects do not have to be given access to the ROPA and it does not have to be made publicly available.

However, the ROPA must be made available to the supervisory authority upon request (Art. 30(4) GDPR). The supervisory authority can then choose whether to request the ROPA in electronic or printed form. The GDPR does not specify the level of detail of the ROPA. However, it should enable the supervisory authority to carry out an initial verification "as easily as possible". To this end, it is recommended to organise the relevant information according to the categories of processing activities.

The ROPA should also be kept in German. Otherwise, the ROPA would have to be translated into German for the authority upon request pursuant to Section 23 (1) and (2) sentence 1 VwVfG.

How often must the ROPA be updated and checked?

The ROPA must be regularly maintained and kept up to date. Whenever a new processing activity involving personal data is added, the ROPA must also be updated. In addition, the ROPA should be checked regularly to ensure that all entries are up to date. A good DMS is also helpful and useful for this.

In addition, the Data Protection Conference recommends that changes to the ROPA be made traceable with a retention period of one year in order to fulfil the accountability obligation under Art. 5(2) GDPR. This is particularly important if there have been changes in the meantime, for example with regard to the controller or even just the data protection officer.