Records of Processing Activities(ROPA): The key role for data protection and transparency in the modern working world

Records of Processing Activities (ROPA): The key role of data protection and transparency in the modern working world

Modern data processing has taken on a prominent role in the world of work and has thus also increased in economic importance. The increased exercise of data subjects' rights has led to increased demand for information and transparency vis-à-vis data subjects. The Records of Processing Activities is a core instrument for implementing data protection and transparency obligations in order to provide meaningful and up-to-date documentation.

Almost every company is legally obligated to maintain a correct record of processing activities when it comes into contact with personal data and its processing. The records of processing activities thus represent documentation that basically shows the handling of personal data within the company. By writing down security measures, data protection-compliant methods are shown that define the protection of data and information and thus secure an audit by the supervisory authorities. This is an important point, as any complaint or audit will have the first supervisory look at the processing directory.

The Records of Processing activities - the basics

  • A record of processing activities must be kept by every data processing entity
  • A record of processing activities must be kept in written form. Electronic documentation is in compliance with the law
  • Processors must keep a record of processing activities
  • Violations can be punished with fines of up to 10 million euros or 2% of annual turnover (previous fiscal year)

When does a company need a Record of Processing Activities?

According to the GDPR, almost every company needs a detailed directory showing the Record of Processing Activities (ROPA). This requirement applies to all natural persons, associations, companies and public authorities that process personal data. Processors or their representatives are also obliged to keep a register of all processing activities commissioned and are subject to the same data protection requirements as the client.

If a company is required to maintain a Records of Processing Activities (ROPA), options should be explored to ensure compliance with the GDPR. As a controller, you can create the directory on your own, but this usually turns out to be a difficult hurdle to overcome, as it involves a lot of time and high risk. The safest method, which also does not affect your core business, is to hire a specialist!

heyData is happy to offer itself as your competent partner here! Just contact us!

Under special circumstances, the obligation to keep a ROPA may be void. According to Art. 30 (5) of the GDPR, a ROPA must only be kept if one of the following criteria is met:

  • The company has at least 250 employees
  • The data processing involves a risk to the rights and freedoms of data subjects
  • Particularly sensitive data are processed (religion, political opinion, sexual orientation...)
  • Data on convictions or criminal offences are processed; or
  • Internal data processing is not only occasional

Especially the last point is difficult to grasp for smaller companies, as there is no precise definition of regular or occasional processing of personal data. Here, case law and the relevant literature are cloak-and-dagger.

1. However, occasional data processing is defined on the basis that data processing takes place only at long intervals or involves an unpredictable amount of time.

2. Regular data processing exists in these cases:

  • a continuous or clearly defined (time aspect) data processing
  • continuous data processing
  • a data processing at specific points in time

If one of these points is fulfilled, the company is obliged to keep a processing register!

The resulting documentation of all processing operations is an important pillar of data protection compliance, as the ROPA to be kept provides evidence that all provisions of the GDPR have been complied with.

The contents of a Records of Processing Activities (ROPA)

As a content requirement, all automated, or non-automated, data processing operations of personal data are recorded in a ROPA. All data stored or yet to be stored must be defined. Every activity related to this data must always be documented in the ROPA.

When creating a ROPA for the first time, attention should be paid to data inputs and data outputs. A new description should be created for each individual data processing activity. If inventory data is processed for a different purpose, then this new processing operation is also recorded in writing!

"Do all customer data really have to be recorded in a Records of Processing Activities (ROPA)"? - this question is often asked of heyData. The answer is simple: no, a Records of Processing Activities (ROPA) records data protection operations and data categories that process and store personal data internally, but not individual customer data!

Examples of activities and data work include:

  • processing of applicant and personnel information
  • internal and external (operational) communication processes
  • data and activities from customer care
  • marketing activities
  • activities from the finance department and accounting
  • video and audio surveillance
  • data destruction processes

Each ROPA should include the following items:

  1. contact details and designation of all data processing controllers
  2. contact details of the appointed data protection officer
  3. the purpose of the data processing (personnel, leave, contracts...)
  4. category of data subjects to be processed (e.g. customer, employee...)
  5. categories of recipients with whom data is disclosed or is to be disclosed (e.g. suppliers, public authorities or credit institutions...)
  6. data that will be transferred to a third country or to an international organization. The third countries and the international organizations must be named here
  7. information about the intended deletion periods of the respective data categories.
  8. all descriptions of the technical and organizational measures (TOM) should be defined in a processing directory. All security measures implemented should be shown here (e.g. IT security, video surveillance...).

Change documentation must be kept in a ROPA. If, for example, the responsibility or the designated data protection officer changes, this must be documented in the change history.

The question of the scope of the Records of Processing Activities (ROPA) is not defined by law and is assessed on a case-by-case basis. However, if the ROPA is incomplete or missing, fines of up to 10 million euros or up to 2% of the annual turnover (previous fiscal year) may be imposed.

The Records of Processing Activities (ROPA) and the external Data Protection Officer

An external data protection officer is responsible for the secure and legally compliant implementation of data protection in the company and is in constant communication with the management and the specialist departments involved. The advantage of a qualified data protection officer is clear - he or she possesses professional and technical expertise and bears the risk within his or her task performance. In order to fulfil this, the external data protection officer must prove himself with regular training and continuous knowledge building.

In the processing of a ROPA, the external data protection officer should be consulted for support. He or she has the necessary expertise and practical experience. In cooperation with the respective departments and the management, all processing activities can be identified and thus documented in the processing directory.

Since the external data protection officer must act as a quasi-external employee within the company, he knows all data protection-relevant processes and can thus ensure secure documentation. In the ROPA, he bundles all findings and thus ensures a complete log that can withstand an audit by the supervisory authorities.

heyData - for a legally compliant Records of Processing Activities (ROPA)

Only a properly maintained processing directory leads to legal certainty! A properly maintained directory not only complies with the law, but also saves time within the company and offers economic advantages.

heyData offers you long-term process optimization and reassuring legal certainty.

With heyData, you are able to keep Records of Processing Activities (ROPA) in a conscientious manner and have more room for maneuvering for your actual core business. Don't see the processing directory as an annoying obligation - it is one of the proofs that your company meets the accountability in data protection! This strengthens your legal security, but also your internal and external image. Change management also involves the workforce and creates a "we-feeling", which is also a plus on the economic side.

Contact heyData and let our data protection experts advise you.

About the Author

More articles

Whistleblower Protection Act

Whistleblower Protection Act: New Obligations for Companies and a Milestone for Whistleblower Protection in Germany

On May 12, 2023, the Whistleblower Protection Act (HinSchG) was adopted by the Bundesrat, the upper house of the German parliament, after the Mediation Committee had previously reached an agreement. This law, which is based on the EU Whistleblower Directive, aims to improve the protection of whistleblowers in Germany and create a legal basis for dealing with whistleblowing. The implementation of these new regulations imposes additional obligations and information on companies with regard to the protection of whistleblowers. In this blog post, we will highlight the key aspects of the Whistleblower Protection Act and the Whistleblowing Directive and explain their significance for startups, companies and founders.

Learn more
What is double opt-in and why is it important

What is double opt-in and why is it important?

The General Data Protection Regulation (GDPR) necessitates the implementation of rules to safeguard digital data privacy within the EU. One crucial requirement is the adoption of the double opt-in process by companies collecting personal data. Double opt-in involves obtaining explicit consent before data collection and sending a confirmation email for consent validation. This process ensures compliance, enables individuals to reconfirm understanding and consent, verifies identities, and protects against unauthorized subscriptions or data breaches. By establishing secure consent protocols, the double opt-in process enhances trust, privacy, and customer protection. It not only complies with privacy laws but also demonstrates a commitment to data security. Using a Digital Object Identifier (DOI) minimizes the risk of emailing incorrect addresses, ensuring effective communication and preventing confusion.

Learn more
10 GDPR Questions Every Data Protection Officer Should Know The Answer To

10 GDPR Questions Every Data Protection Officer Should Know The Answer To (FAQs For DPOs)

Legally, DPOs are required for public entities and for private entities whose core activities includes processing that requires "regular and systematic monitoring of data subjects on a large scale” or “processing on a large scale of special categories of data,” as well as the processing of personal data for criminal offenses and convictions. Whether you are a seasoned DPO or just starting out in the role, here's a list of 10 common questions that every DPO should be able to answer.

Learn more

Get to know our team today, with no obligations!

Contact us