SimpleAct Logo
GDPR · Art. 30

Records of Processing Activities (RoPA)

The record of processing activities under Art. 30 GDPR is the mandatory documentation of every processing of personal data in your company. SimpleAct guides you through all required fields – exportable for audits and supervisory authorities.

Start for free View GDPR compliance

What is the record of processing activities?

The Record of Processing Activities (RoPA) is mandatory under Art. 30 GDPR for nearly every company. It documents which personal data is processed for which purpose, on which legal basis and with which recipients. The RoPA is the central evidence document for the accountability principle – supervisory authorities can request it at any time.

Mandatory fields per processing activity

Purpose of processing
What is the data processed for? Each purpose is recorded and described individually.
Legal basis
On which basis under Art. 6 GDPR does the processing take place – contract, consent, legitimate interest?
Data categories & subjects
Which data types and which groups of people are affected – customers, employees, prospects?
Recipients & retention
To whom is data transferred, and after which periods is it deleted?

How to build a compliant RoPA

  • Capture all processing activities across the company
  • Define purpose and legal basis for each activity
  • Assign data categories and affected groups of people
  • Document recipients including processors
  • Note third-country transfers and safeguards
  • Record retention periods and security measures
  • Keep the record updated and ready to export

Frequently asked questions about records of processing

Who must keep records of processing?

In principle every company. The exemption for organisations with fewer than 250 employees rarely applies in practice, as it falls away for regular processing or sensitive data – which is almost always the case.

What happens without a RoPA during an audit?

A missing or incomplete RoPA is a separate GDPR violation and can be fined – regardless of whether the processing itself was lawful.

Does the processor also need a RoPA?

Yes. Art. 30(2) requires the processor to keep its own record of all processing carried out on behalf of controllers.

How often must the RoPA be updated?

The RoPA must always be current. It must be updated with every new processing activity or material change – an ongoing process, not a one-off document.

Records of processing with SimpleAct

Capture all mandatory fields in a structured way, link processors, and provide the complete record as an export for audits.

Start for free

Related topics

GDPR complianceData Protection Impact AssessmentData subject rightsGDPR module
Yannick Heisler

Yannick Heisler

Sales · Personal consultation

Records of Processing Activities (Art. 30 GDPR) – Requirements & Template | SimpleAct | SimpleAct