The record of processing activities (ROPA)

As the controller, you must ensure that there is a record of all processing activities. This processing register documents the processes in which personal data is processed. 

According to the GDPR, this obligation does not apply to companies or organisations with fewer than 250 employees, unless 

• The processing harbours a risk to the rights and freedoms of data subjects
  
• Special categories of data are processed.
• The processing is only occasional. 

The last point in particular leads to the obligation to keep a processing register in almost all cases. After all, when is personal data processed occasionally? As soon as you employ staff, it is difficult to argue that processing is only occasional. And at the latest if you offer regular training courses or training programmes, you also regularly process participant data. 

In any case, you should also check the national law. The German Federal Data Protection Act, for example, does not recognise the exceptions for keeping a record of processing activities at all. In Germany, such a register must therefore always be kept.

Even if there is no obligation to keep a register of processing activities in your country, it makes sense to create one. The register helps to make the data protection-relevant processes in the organisation visible and to evaluate them. This allows risky processes to be identified and protective measures to be taken.

Example of a template for a processing directory in a spreadsheet (Screenshot)

What does a record of processing activities look like? 

There is no binding template for a processing directory. It merely defines what information must be included. The first step is to collect all processes in which personal data is processed. This includes all processes relating to the administration of employees and all other persons whose data is processed, such as customers, interested parties or participants. 

Examples of such processes are 

• Personnel file management
  
• Payroll accounting
• Application processes
• E-mail communication within the company
• Website operation
• Management of the customer database
• Registration process for an online webinar

You document the following information for each processing activity: 

• Name and contact details of the person responsible for the process
  
• Purpose of the processing
• Description of the categories of data subjects and the category of personal data
• Category of internal and external recipients (if any)
• Information on the transfer of data to a third country (if available)
• Information on the planned deadlines for deleting the data
• Information on the technical and organisational measures that ensure the security of the processing
• In practice, it has also become established practice to include the legal basis for processing in the list.

You can either find templates for the processing directory on the Internet or there are now also some online tools that can be used to manage the directory digitally. 

Template

If a company does not keep a processing register or is unable to provide the register in full when requested by the supervisory authority, a fine may be imposed in accordance with Art. 83 (4a) GDPR. The possible range here is up to 10 million euros or 2% of annual turnover - depending on the severity of the offence.