GDPR fundamentals · Article 30

Records of Processing Activities (ROPA) under EU GDPR

Updated April 2026EU GDPR Article 30EDPB aligned

The Article 30 Record of Processing Activities is the primary accountability document under EU GDPR. It is an internal inventory of every processing activity an organisation carries out, and it is the first document national supervisory authorities request in any investigation or audit. Without a complete, current ROPA, demonstrating accountability is nearly impossible.

How to read this guide. This guide explains requirements and expectations derived from EU GDPR 2016/679 and EDPB published guidance. Where we write “EU GDPR requires” we cite the regulation. Where we write “EDPB guidance indicates” we cite regulatory guidance, which is not identical to a statutory obligation. Application of GDPR obligations may vary depending on member state law and supervisory authority interpretation — consult a qualified data protection practitioner familiar with the relevant jurisdiction.

What the ROPA is

The ROPA is a documented inventory of every processing activity carried out by an organisation. Article 30 requires it to be maintained in writing — electronic form is acceptable and standard. It is an internal governance document, not required to be published, but must be made available to the supervisory authority on request.

Source: EU GDPR Article 30; EDPB accountability guidance

Who must maintain a ROPA

Article 30(5) provides a partial exemption for organisations with fewer than 250 employees — they are not required to maintain a ROPA unless processing is likely to result in risk to rights and freedoms, processing is not occasional, or it includes special category or criminal conviction data. In practice, most organisations with employees, customers, or any ongoing data processing fall outside this exemption. The EDPB recommends all organisations maintain a ROPA regardless of size as the most practical demonstration of accountability.

What the ROPA must contain

For controllers, Article 30(1) requires: controller identity and DPO contact details; the purposes of the processing; categories of data subjects and personal data; categories of recipients including those in third countries; details of transfers to third countries and safeguards; envisaged retention periods; and a description of technical and organisational security measures. The lawful basis for each processing activity, while not explicitly listed in Article 30(1), is implied by accountability and regarded as strong best practice and consistently expected by supervisory authorities in practice.

Processor ROPA — Article 30(2)

Processors must maintain a separate ROPA listing each controller on whose behalf they act, the categories of processing performed, details of any transfers, and security measures. Organisations that act as both controller and processor must maintain separate records for each role.

Maintenance and review

The ROPA must be kept up to date. New systems, new third parties, new purposes, changed retention periods — all require ROPA updates. An annual review minimum is recommended, with ad hoc updates as changes occur. A ROPA accurate at publication but not reviewed for two years is not compliant from the date the processing changed.

Record this. Maintain the ROPA, date each entry and update, keep previous versions. Supervisory authorities use gaps or inaccuracies in the ROPA as evidence of accountability failures. It must reflect what actually happens, not what the organisation aspires to do.

Note: application of EU GDPR obligations may vary under member state law. Confirm with a practitioner familiar with the relevant jurisdiction.

Not legal advice. This guide is derived from EU GDPR (Regulation (EU) 2016/679), EDPB published guidelines, and national supervisory authority guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.