Article 30 - Record of Processing Activities - what should it contain?

May 17, 2021

The Record of Processing Activities serves to enable an organisation to have a clear picture, internally, of processing activities as well as providing evidence to authorities as how to data is being used.

Generally, a RoPA applies only to organisations employing 250 employees or more UNLESS:
- the processing being undertaken is like to result in risk to the rights and freedoms of data subjects or;
- the processing is not occasional - in which case, smaller companies where this applies are under obligation to maintain one.

A RoPA is necessary where special categories of data (listed in Article 9 (1))  or data relating to criminal offences and convictions (Article 10).

The information that a RoPA should contain differs for controllers and processors.

RoPA for the CONTROLLER:
Name and contact number of the controller;
The purpose of processing:
A description of the categories of data subjects;
A descriptions of the categories of data being processed;
The recipients to whom the personal data will be disclosed;
Details of transfers data to a third country or international organisation, if applicable and details of transfer safeguards in place;
Envisaged time limits that data will be kept;
A general description of the technical security measures undertaken by the organisation to protect data.

RoPA for the PROCESSOR:
Name and contact number of the processor(s);
The categories of processing carried out on behalf of the controllers (s);
Details of transfers data to a third country or international organisation, if applicable and details of transfer safeguards in place;
A general description of the technical security measures undertaken by the organisation to protect data.

Creating a RoPA is the important first step, however, work should be ongoing on this in that each time a new category of data is being processed or data is being processed for a different reason, this information will need to be added. In essence, the document, in whatever forms your organisation decides to keep it, should be update whenever there is any kind of change to processing activities. There is no format specified on how to complete the ROPA although authorities throughout the EU have released their own preferred version, along with accompanying notes on best practice.

The GDPR stipulates that the RoPA should be made in writing (includes electronic form) and be made available to the Supervisory Authority upon request.  The idea being that the keeping of records offers transparency of processing operations to both the SA and data subjects.

Become a Partner
As a partner you have the option to promote a wide spectrum of GDPR services from the complete GDPR checklist to GDPR managed services. PanoSec have an affiliate program and a channel partner program.
Affiliate Partners
Our affiliate program gives you the opportunity to gain a percentage of any revenue earned from customers you refer to us.

The program works as follows:

1. Create an account: Affiliate Registration
Register via the "Affiliate Registration" button below, then login to your account and click on "Programs".

2. Start promoting PanoSec products!
Once you are in the programs page, get your unique affiliate links and start marketing. You can track all your affiliate referrals in your personal dashboard.
Affiliate registration
Channel Partners
PanoSec Channel Partners Program is focused on technology companies, security VARs, SaaS service providers, business continuity experts and insurance companies who will use PanoSec as a part of their security offer to end users.

Start Now