The Record of Processing Activity (RoPA) allows you to meet your legal obligation to document processing activities.
Mapping personal data and understanding its flow through the systems your organization uses is an essential first step to carrying out a RoPA.
Your RoPA should record all processing activities you perform and be kept updated.
It should include why personal data is being processed, from whom it is being collected, how long it will be retained, and the lawful basis for processing the personal data.
Responsible Party. Provide your name and title within the organization.
Personal Data Processing
Department / Function is the department within the organization for which you are responding, e.g., Human Resources, Information Technology, Complaints Division, etc.
The purpose of processing is the reason for which the data is collected, e.g., recruiting, pensions, etc.
Role responsible for the processing. This question is designed to help with internal accountability. (Example: Information Manager.)
Types of records. Select the way or ways in which the records are kept. Examples are paper or electronic. If they are maintained in some other form, you may select “Other” then add the record type in the text box.
For types or categories of individuals or data subjects, describe from whom the data is being collected, (for example, current employees, potential employees and consultants, customers, complainants, etc.) You should not include employees if their data is collected only for application login.
Types or categories of personal data. Describe the types of data being processed. Examples include key personal data (e.g., name, date of birth, nationality, etc.) contact data (e.g., address, email address, phone number), sensitive personal data (e.g., medical data), geo-location data, IP address.
Source of the personal data. Describe from where the data is collected, e.g., an individual or a third-party.
Where is personal data stored? Detail the tools or applications in which the data is stored.
Update of personal data. Describe under what circumstances personal data is updated.
Existence of automated decision-making, including profiling (if applicable). This is any algorithm-based decision that significantly impacts the individual, e.g., a denial of a payment plan or the hiring of a candidate.
Schedule 2 legal basis for processing personal data
In order to meet requirements for lawful basis, the processing must fall into one of the categories outlined by Article 6 of the GDPR. Those categories and their definitions in that article are
- Consent: “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”
- Contract: “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
- Legal obligation: “processing is necessary for compliance with a legal obligation to which the controller is subject”
- Vital interests: “processing is necessary in order to protect the vital interests of the data subject or of another natural person”
- Public function: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
- Legitimate interests: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”
In addition to the lawful basis, the data processing must be necessary in order to meet the requirements. If the aims of the processing could be achieved in another way, it would not be necessary, and the lawful basis would not be valid.
Schedule 3 legal basis for processing sensitive personal data (if applicable)
Under Article 9 of the GDPR processing of sensitive personal data, including “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation” must fall under one of the below categories to be permissible.
- Consent: “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where domestic law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject”
- Employment: “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by domestic law or a collective agreement pursuant to domestic law providing for appropriate safeguards for the fundamental rights and the interests of the data subject”
- Vital interests: “processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”
- Non-profit association: “processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects”
- Information made public: “processing relates to personal data which are manifestly made public by the data subject”
- Legal proceedings: “processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”
- Public functions: “processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”
- Medical purposes: “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3”
Retention period of personal data. How long will the data be retained? (Example,
8 years after the account closed.)
Is it legally required to keep the personal data? Select either yes or no. If yes, describe the legal basis for retaining the data (e.g., Sec 12(1) AML Regulations).
Technical and organizational security measures protecting the personal data. Describe how the data will be safeguarded. You may wish to refer to your organization's security policy.
Recipients of the personal data. Outline the third-parties that will receive the personal data.
Types of recipients. For example, IT system supplier, public authority, Service provider (non-IT system). Note: A recipient is also an IT support team having (remote) access to the data
Data controller / Data processor / Joint controller. State whether your company is the data controller, data processor, or joint controller.
Article 4 of the GDPR defines these as:
- "'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data"
- "'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller"
Contractual agreement with recipients if data processor? Confirm whether a data processing agreement is in place with the data processor.
Is personal data transferred out of the country in which it is collected? Select yes or no.
Countries / Territories / International Organisations that personal data is transferred to. Examples: Kazakhstan, United Kingdom, United Nations, USA.
Transfer mechanism. Examples: Adequacy decision, Schedule 4 exemption (Public interest)
If international transfers take place, describe appropriate safeguards. Detail how data is safeguarded during transfer.