Build a GDPR Article 30 processing record
A Record of Processing Activities (ROPA) is the backbone of accountability under the GDPR. Article 30 requires controllers (and processors) to keep a written inventory of every processing activity so a supervisory authority — or your own team — can see at a glance what personal data flows through the organisation. This builder turns a handful of inputs into a clean, structured ROPA entry you can drop into your processing register.
How it works
The tool maps your inputs onto the mandatory fields Article 30(1) lists for controllers: the name and contact of the controller (and any data protection officer), the purposes of the processing, the categories of data subjects and personal data, the categories of recipients, any transfers to third countries, the envisaged retention periods, and a general description of the technical and organisational security measures under Article 32.
The legal basis selector covers all six Article 6 lawful bases. When you pick “legitimate interests” the record adds a reminder that a documented Legitimate Interests Assessment (balancing test) is required. A separate flag marks whether special category data under Article 9 is involved, which would require an additional condition beyond your Article 6 basis.
Tips and notes
- Keep one ROPA entry per distinct processing activity (for example, “payroll”, “marketing emails”, “CCTV”), not one per data field.
- Retention should be expressed as a rule tied to an event (
end of contract + 6 years) rather than a fixed calendar date, so the record stays accurate over time. - Review the register at least annually and whenever you add a new tool, vendor, or data flow.
- This is a template generator, not legal advice — have a qualified adviser review the output before it becomes your official record.