Records of Processing Activities(ROPA): The key role for data protection and transparency in the modern working world
Modern data processing has taken on a prominent role in the world of work and has thus also increased in economic importance. The increased exercise of data subjects' rights has led to increased demand for information and transparency vis-à-vis data subjects. The Records of Processing Activities is a core instrument for implementing data protection and transparency obligations in order to provide meaningful and up-to-date documentation.
Almost every company is legally obligated to maintain a correct record of processing activities when it comes into contact with personal data and its processing. The records of processing activities thus represent documentation that basically shows the handling of personal data within the company. By writing down security measures, data protection-compliant methods are shown that define the protection of data and information and thus secure an audit by the supervisory authorities. This is an important point, as any complaint or audit will have the first supervisory look at the processing directory.
The Records of Processing activities - the basics
- A record of processing activities must be kept by every data processing entity
- A record of processing activities must be kept in written form. Electronic documentation is in compliance with the law
- Processors must keep a record of processing activities
- Violations can be punished with fines of up to 10 million euros or 2% of annual turnover (previous fiscal year)
When does a company need a Record of Processing Activities?
According to the GDPR, almost every company needs a detailed directory showing the Record of Processing Activities (ROPA). This requirement applies to all natural persons, associations, companies and public authorities that process personal data. Processors or their representatives are also obliged to keep a register of all processing activities commissioned and are subject to the same data protection requirements as the client.
If a company is required to maintain a Records of Processing Activities (ROPA), options should be explored to ensure compliance with the GDPR. As a controller, you can create the directory on your own, but this usually turns out to be a difficult hurdle to overcome, as it involves a lot of time and high risk. The safest method, which also does not affect your core business, is to hire a specialist!
heyData is happy to offer itself as your competent partner here! Just contact us!
Under special circumstances, the obligation to keep a ROPA may be void. According to Art. 30 (5) of the GDPR, a ROPA must only be kept if one of the following criteria is met:
- The company has at least 250 employees
- The data processing involves a risk to the rights and freedoms of data subjects
- Particularly sensitive data are processed (religion, political opinion, sexual orientation...)
- Data on convictions or criminal offences are processed; or
- Internal data processing is not only occasional
Especially the last point is difficult to grasp for smaller companies, as there is no precise definition of regular or occasional processing of personal data. Here, case law and the relevant literature are cloak-and-dagger.
1. However, occasional data processing is defined on the basis that data processing takes place only at long intervals or involves an unpredictable amount of time.
2. Regular data processing exists in these cases:
- a continuous or clearly defined (time aspect) data processing
- continuous data processing
- a data processing at specific points in time
If one of these points is fulfilled, the company is obliged to keep a processing register!
The resulting documentation of all processing operations is an important pillar of data protection compliance, as the ROPA to be kept provides evidence that all provisions of the GDPR have been complied with.
The contents of a Records of Processing Activities (ROPA)
As a content requirement, all automated, or non-automated, data processing operations of personal data are recorded in a ROPA. All data stored or yet to be stored must be defined. Every activity related to this data must always be documented in the ROPA.
When creating a ROPA for the first time, attention should be paid to data inputs and data outputs. A new description should be created for each individual data processing activity. If inventory data is processed for a different purpose, then this new processing operation is also recorded in writing!
"Do all customer data really have to be recorded in a Records of Processing Activities (ROPA)"? - this question is often asked of heyData. The answer is simple: no, a Records of Processing Activities (ROPA) records data protection operations and data categories that process and store personal data internally, but not individual customer data!
Examples of activities and data work include:
- processing of applicant and personnel information
- internal and external (operational) communication processes
- data and activities from customer care
- marketing activities
- activities from the finance department and accounting
- video and audio surveillance
- data destruction processes
Each ROPA should include the following items:
- contact details and designation of all data processing controllers
- contact details of the appointed data protection officer
- the purpose of the data processing (personnel, leave, contracts...)
- category of data subjects to be processed (e.g. customer, employee...)
- categories of recipients with whom data is disclosed or is to be disclosed (e.g. suppliers, public authorities or credit institutions...)
- data that will be transferred to a third country or to an international organization. The third countries and the international organizations must be named here
- information about the intended deletion periods of the respective data categories.
- all descriptions of the technical and organizational measures (TOM) should be defined in a processing directory. All security measures implemented should be shown here (e.g. IT security, video surveillance...).
Change documentation must be kept in a ROPA. If, for example, the responsibility or the designated data protection officer changes, this must be documented in the change history.
The question of the scope of the Records of Processing Activities (ROPA) is not defined by law and is assessed on a case-by-case basis. However, if the ROPA is incomplete or missing, fines of up to 10 million euros or up to 2% of the annual turnover (previous fiscal year) may be imposed.
The Records of Processing Activities (ROPA) and the external Data Protection Officer
An external data protection officer is responsible for the secure and legally compliant implementation of data protection in the company and is in constant communication with the management and the specialist departments involved. The advantage of a qualified data protection officer is clear - he or she possesses professional and technical expertise and bears the risk within his or her task performance. In order to fulfil this, the external data protection officer must prove himself with regular training and continuous knowledge building.
In the processing of a ROPA, the external data protection officer should be consulted for support. He or she has the necessary expertise and practical experience. In cooperation with the respective departments and the management, all processing activities can be identified and thus documented in the processing directory.
Since the external data protection officer must act as a quasi-external employee within the company, he knows all data protection-relevant processes and can thus ensure secure documentation. In the ROPA, he bundles all findings and thus ensures a complete log that can withstand an audit by the supervisory authorities.
heyData - for a legally compliant Records of Processing Activities (ROPA)
Only a properly maintained processing directory leads to legal certainty! A properly maintained directory not only complies with the law, but also saves time within the company and offers economic advantages.
heyData offers you long-term process optimization and reassuring legal certainty.
With heyData, you are able to keep Records of Processing Activities (ROPA) in a conscientious manner and have more room for maneuvering for your actual core business. Don't see the processing directory as an annoying obligation - it is one of the proofs that your company meets the accountability in data protection! This strengthens your legal security, but also your internal and external image. Change management also involves the workforce and creates a "we-feeling", which is also a plus on the economic side.
Contact heyData and let our data protection experts advise you.
More articles
Partnership Spotlight: Cyberhotline
Welcome to our "Partnership Spotlight" section, where we showcase our strong partners. At heyData, we believe in customer-oriented collaboration, and through partnerships with other companies, we aim to offer our clients comprehensive solutions that go beyond just compliance and cover other aspects of their daily business operations.
Learn more
Improve your LinkedIn profile with heyData certificates
Our e-learning courses cover everything from the basics of data protection to the latest regulations and best practices for IT security, the lessons offered will continue to expand with data compliance topics planned for the future.
Learn more
10 GDPR Questions Every Data Protection Officer Should Know The Answer To (FAQs For DPOs)
Legally, DPOs are required for public entities and for private entities whose core activities includes processing that requires "regular and systematic monitoring of data subjects on a large scale” or “processing on a large scale of special categories of data,” as well as the processing of personal data for criminal offenses and convictions. Whether you are a seasoned DPO or just starting out in the role, here's a list of 10 common questions that every DPO should be able to answer.
Learn more