GDPR Records of Processing Activities

Records of processing activities (RoPA) are a documentation requirement under the EU General Data Protection Regulation (GDPR). Under Art. 30 GDPR, organisations must maintain a list of all activities in which they process personal data (processing activities).

Somewhat imprecisely, the German terms Verfahrensverzeichnis and Verarbeitungsverzeichnis are also used for the records of processing activities (RoPA).

To make working on the RoPA easier, a generator was developed that drafts RoPA entries using AI: the VVT-O-Mat.

Summary

• Art. 30 GDPR requires organisations to keep records of all processing activities — the SME exemption (< 250 employees) almost never applies in practice.
• A "processing activity" is a bundle of processing steps with a single, unifying purpose; the right level of granularity follows business processes, not individual IT systems.
• Mandatory information: purpose, categories of data, categories of data subjects, recipients, third-country transfers, erasure periods and technical and organisational measures; useful additions: legal basis, IT system, processors.
• The RoPA is not merely mandatory documentation but the foundation for data protection compliance, accountability, information obligations and handling data subject access requests.

1. What is a processing activity?

The term "processing activity" is not defined in the GDPR. This often creates uncertainty about what has to be documented in the records of processing activities, and in what level of detail.

A "processing activity" can be understood as

a bundle of processing steps that serves a single, overarching purpose, e.g. a specific business process or an IT tool.

Examples of processing activities include:

• Use of specific software or devices that capture, store or analyse employee data (e.g. time-recording systems, digital personnel files, electronic access-card systems, video surveillance).
• Standardised internal procedures in which employee data is continuously or systematically captured, stored or used (e.g. handling applicant data, administering and processing training measures, payroll, email newsletters for customers).

1.1 Granularity: how finely should you document?

It is often unclear at what level of granularity processing activities should be documented in the records. When deciding whether certain processing constitutes one large or several smaller processing activities, the following considerations can help:

• Breaking things down too finely results in an unmanageable number of processing activities and unnecessarily increases the administrative burden.
• Breaking things down too coarsely (e.g. "HR data management") no longer allows a meaningful review of data protection compliance.
• To identify an overarching purpose, it helps to orient yourself around existing business processes or areas of responsibility.
• The distinction can also be based on the technical systems underlying the processing activity. However, not every IT system needs to be treated as its own processing activity.
• If a processing activity would fall within the responsibility of several departments, splitting it up may make sense.
• On purely pragmatic grounds, a lower level of granularity may be acceptable for smaller organisations when defining processing activities.

1.2 What does not belong in the RoPA

Purely abstract processing without a specific purpose (examples: general use of office software, general project organisation) or only occasional processing (examples: keeping attendance lists for meetings) does not need to be treated as a "processing activity".

2. Examples of processing activities (samples/templates) under Art. 30 GDPR

The following sets out typical processing activities in an organisation. The list is illustrative and not exhaustive, and is intended merely as guidance.

The granularity is geared more towards small organisations. For medium-sized and larger organisations, a finer breakdown — e.g. in the HR area — will often make sense.

2.1 HR

• Application management / recruiting
• Personnel file management
• Payroll
• Time recording (clock-in/clock-out times)
• Personnel development / employee appraisals
• Fleet management
• Travel expense accounting

2.2 IT

• Email service for employees
• Internet access for employees
• File server
• Intranet / employee directory
• Guest Wi-Fi

2.3 Online

• Website operation
• Newsletter subscriber management
• Tracking (analysis of visitor traffic)
• Social media presence (e.g. Facebook fan page)

2.4 Customers

• Contract handling / sales / distribution
• CRM (customer database)
• Marketing (e.g. newsletter subscriber lists, opt-out lists)

2.5 General / suppliers

• Accounts payable
• Accounts receivable
• Project management
• Production (e.g. shift schedules)
• Internal audit
• Legal
• Compliance

2.6 Other

• Video surveillance

3. What information belongs in records of processing activities under Art. 30 GDPR?

3.1 Mandatory information under Art. 30 GDPR

The mandatory content of the records of processing activities is laid down in Art. 30 GDPR. In addition to the name and contact details of the organisation and of any data protection officer, the following must be stated for each individual processing activity:

• Purpose of the processing
• Categories of data processed
• Categories of data subjects whose data is processed
• Recipients
• Information on transfers to countries outside the EU/EEA
• Erasure periods
• Data security measures

3.2 Useful organisational additions

In addition, it is advisable to add the following organisational information:

• Short title of the processing activity
• Internally responsible department and person
• Date of the entry / of the last changes

If the organisation bases its data processing on the legal basis of a "balancing of interests" (Art. 6(1)(f) GDPR), this should be noted in the records of processing activities, together with details of the specific interests pursued. This information is needed again for the information obligations.

3.3 Recommended but non-mandatory information

Useful, although not legally required, are:

• Legal basis/bases under Art. 6 GDPR on which the processing relies; in the case of a "balancing of interests", additionally the legitimate interests (this information is needed for privacy notices under Art. 13(1)(c) and (d) GDPR).
• Designation of the IT system used
• Use of processors
• Presence of special categories of personal data under Art. 9 GDPR
• Further explanation of the data processing
• Relevant works agreements

3.4 Scope and level of detail of the description

The scope of the information on processing activities depends on the objective. If you only want to meet the formal legal requirements as concisely as possible, the mandatory information with a brief description is sufficient.

However, the records of processing activities are also a central building block of a data protection management system to ensure compliance with data protection within the organisation. Based on the records, individual processing operations can be reviewed for GDPR compliance and any improvements made. This often requires documentation of the processing that goes beyond the mandatory information.

In addition, more detailed records of processing activities help the organisation comply with the so-called accountability principle. Under the accountability principle, the organisation must be able to demonstrate compliance with the GDPR. The records are also an important aid when preparing privacy information (e.g. for employees or applicants) and when handling data subject access requests.

Since the records of processing activities must be provided on request from a supervisory authority, you should ensure that in such a case only the mandatory information can be extracted.

3.5 Practical tip: factor out repetitions

To avoid repetition, it is advisable to draft certain descriptions separately and merely refer to them in the individual entries, provided there are no particularities for the specific operation. This "factoring out" approach is particularly useful for erasure periods, data security measures and, where applicable, data recipients.

The information on individual processing activities can usually be brief and even given in bullet points, but it must be complete and understandable on its own. The more a processing operation can affect the interests of the data subjects, the more precise the description must be. Relevant criteria include the sensitivity of the data, the volume of data, the number of data subjects, and how customary and what type the processing is.

3.6 RoPA as pure documentation – assessment kept separate

Sometimes the records of processing activities also include aspects that serve to assess the data protection lawfulness of the operation, e.g. questions on the roles and authorisations concept or the legal basis. Personally, I recommend keeping these topics out of the records of processing activities and treating it as pure documentation. GDPR compliance, by contrast, can be assessed and documented in separate documents.

4. Examples, samples, templates and free Excel templates

• Guidance from the German Data Protection Conference (DSK) on records of processing activities under Art. 30 GDPR (PDF, BayLDA)
• GDD practical guide on records of processing activities (PDF, Gesellschaft für Datenschutz und Datensicherheit e. V.)
• Bitkom guide to the processing register, including tips for creating one (PDF)
• Simple examples and samples from the BayLDA for small organisations (associations, car repair shops, trades businesses, medical practices, property management, online shops, accommodation businesses)

5. What else is important about records of processing activities?

• Records of processing activities are often perceived as a tiresome documentation requirement, but they are a central building block for ensuring data protection compliance within the organisation.
• Maintaining the records is the responsibility of the organisation, not the data protection officer. The task can, however, be delegated to the data protection officer if they agree. Before the GDPR this was disputed; the option to delegate is now recognised by supervisory authorities.
• The assumption that organisations with fewer than 250 employees do not need to keep records of processing activities is mistaken, since a counter-exception under Art. 30(5) GDPR usually applies.
• The effort required to create records for the first time should not be underestimated. Ongoing maintenance also ties up resources. Particularly in medium-sized and larger organisations, this requires fixed processes and the cooperation of the specialist departments.
• There are various providers of software solutions for maintaining records of processing activities. In many cases, however, Excel files or small SharePoint solutions are sufficient. Software tools often come with many additional, not necessarily desired features, cost money and lead to lock-in effects. Their use should therefore be carefully weighed, especially in small and medium-sized organisations.
• Records of processing activities must be made available to supervisory authorities on request.
• The German terms "Verfahrensverzeichnis" or "Verarbeitungsverzeichnis" are outdated and should no longer be used.
• The "public register of procedures" required under the old German Federal Data Protection Act (BDSG) no longer exists under the GDPR.