Artifact TemplateEU GDPR

GDPR Article 30 Record of Processing Activities Template

Use this RoPA template to document the Article 30 fields that controllers and processors must be able to maintain in writing and make available to a supervisory authority on request.

The template separates controller and processor records, then turns purposes, data-subject categories, personal-data categories, recipients, transfers, erasure time limits, and security measures into usable evidence fields.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

A GDPR record of processing activities should be a self-contained inventory of real processing activities, not a policy reference or a list of system names. Start with the role for each activity, then complete the Article 30 fields that apply to that role. Under Article 30(5), organisations with fewer than 250 employees may be exempt unless the processing is likely to result in a risk to people's rights and freedoms, is not occasional, or includes special-category data or personal data relating to criminal convictions and offences.

Section 1

Controller RoPA fields to include

Use one row per processing activity or sub-activity. The row should be granular enough for an external reader to understand why the data is used, whose data is involved, which data categories are processed, who receives it, whether it leaves the EEA or goes to an international organisation, how long it is kept, and which security measures protect it.

Mark Article 30 fields separately from helpful extra fields. Lawful basis, special-category condition, risk rating, DPIA reference, breach reference, and transfer mechanism can make the record more useful, but they should not hide the prescribed Article 30 information.

  • Record owner fields: controller name and contact details, joint controller if any, controller representative if any, DPO if any, business function, process owner, and last reviewed date.
  • Activity fields: processing activity, sub-activity, purpose of processing, systems or locations used, and whether the row is active, planned, or archived.
  • People and data fields: categories of data subjects, categories of personal data, and separate flags for Article 9 special-category data or Article 10 criminal-offence data where relevant.
  • Disclosure fields: categories of recipients, including internal recipient groups, external recipients, processors, other controllers, recipients in third countries, and international organisations.
  • Transfer fields: third country or international organisation, transfer route or safeguard, Article 49 safeguard documentation where relied on, and where the supporting transfer document can be produced.
  • Retention and security fields: envisaged erasure time limits by data category, retention trigger, deletion or archive owner, and a general description of technical and organisational security measures.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 30(1) lists the controller RoPA fields, including purposes, data-subject and personal-data categories, recipients, transfers, erasure time limits, and Article 32 security measures.
Irish Data Protection Commission - Records of Processing Activities under Article 30 GDPR
DPC guidance supports granular, self-contained RoPA rows and recommends making mandatory Article 30 fields easy to identify.
Section 2

Processor RoPA fields to keep separate

Processors need a different Article 30 record. Do not reuse the controller template without changing the row logic: a processor row should start with the controller on whose behalf the processing is carried out and the categories of processing performed for that controller.

A processor record can still use many of the same evidence fields, but the role statement must show that the processor is processing on behalf of a controller and that the row is organised around the controller served.

  • Processor identity fields: processor name and contact details, any other processor involved, processor representative if any, DPO if any, and the controller for whom the processing is performed.
  • Controller relationship fields: contract or other binding legal act reference, instruction owner, service or processing category, sub-processor use, and controller approval or authorisation status.
  • Processing fields: categories of processing carried out on behalf of each controller, systems or hosting locations, access groups, and operational hand-offs.
  • Transfer fields: any third-country or international-organisation transfer, the country or organisation, and Article 49 safeguard documentation where applicable.
  • Security fields: general Article 32 security measures, including access controls, encryption or pseudonymisation where used, resilience or availability controls, and testing or assessment cadence where documented.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 30(2) lists the processor RoPA fields, including controllers served, categories of processing, transfers, and Article 32 security measures.
Irish Data Protection Commission - Records of Processing Activities under Article 30 GDPR
DPC guidance explains the processor-side Article 30 record and recommends that processors start with each controller they process data for.
Section 3

Role split and row design

Complete the role assessment before filling the template. Under the GDPR, a controller determines the purposes and means of processing; a processor processes personal data on behalf of a controller; joint controllers jointly determine purposes and means for the relevant processing.

Where the same vendor relationship includes multiple roles, create separate rows. For example, one service may process support-ticket content as a processor while another recipient uses payment or banking data for its own controller purpose.

  • Role evidence prompt: who decides why the data is processed and which essential means are used?
  • Processor evidence prompt: what documented instructions, processing agreement, security requirements, and sub-processor terms govern the activity?
  • Joint-controller evidence prompt: what arrangement allocates transparency duties, data-subject rights handling, security, breach handling, and contact-point responsibilities?
  • Recipient evidence prompt: is the recipient an internal team, processor, sub-processor, independent controller, joint controller, public authority, third-country recipient, or international organisation?
  • Granularity prompt: split rows when purpose, data category, recipient, transfer route, retention period, or security measure differs materially.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
GDPR Articles 4, 26, 28, and 30 support the controller, processor, joint-controller, recipient, and Article 30 record prompts in this template.
Irish Data Protection Commission - Records of Processing Activities under Article 30 GDPR
DPC guidance supports breaking the RoPA down by functions, owners, and processing activities so relevant activities are not omitted.
Section 4

Evidence template rows for common activities

Use these row patterns as evidence prompts, then replace the examples with the organisation's actual facts. Avoid entries such as personal data, internal, appropriate security, or as per retention policy unless the row also states the concrete data, recipients, measures, and retention rule.

The record should be readable without opening internal folders. If a policy, contract, DPIA, transfer impact assessment, or retention schedule is linked, the RoPA row should still summarize the relevant field and identify who can produce the supporting document.

  • HR payroll row: purpose is payroll and employment administration; data subjects are employees or workers; data categories may include identity, contact, payroll, bank, tax, absence, and deduction data; recipients may include payroll provider, tax authority, pension provider, and bank; retention should be stated by category.
  • Customer account row: purpose is account creation and service delivery; data subjects are customers, users, admins, or prospects; data categories may include account identifiers, contact details, authentication metadata, usage records, support history, and billing data.
  • Marketing row: purpose should identify the campaign or communication type; data-subject categories should distinguish prospects, customers, event contacts, and unsubscribed contacts; recipients should include marketing platforms, analytics providers, or agencies where used.
  • Security logging row: purpose should distinguish access control, fraud prevention, incident investigation, or service resilience; data categories should list identifiers, IP addresses, device data, log timestamps, and event data instead of saying technical data.
  • Processor service row: start with the controller, categories of processing performed for that controller, sub-processors used, transfer locations, security measures, and how the processor can export the relevant RoPA information to the controller.
Sources for this answer
Irish Data Protection Commission - Records of Processing Activities under Article 30 GDPR
DPC examples show that RoPA rows should use concrete data categories, recipients, retention periods, and security measures rather than labels such as personal data or GDPR compliant.
Regulation (EU) 2016/679 (GDPR)
Article 32 supports recording concrete security measures such as pseudonymisation, encryption, resilience, restoration, and regular testing where appropriate.
Section 5

Transfer, retention, and security checks before use

Before relying on the RoPA, test the fields that usually fail first: transfers, retention, and security. These fields should not be buried in linked documents or left as unexplained shorthand.

A usable Article 30 record should let privacy, legal, security, vendor management, and product owners answer the same questions from the same row: what processing is happening, why it is happening, who receives the data, where it goes, when it is erased, and how it is protected.

  • Transfer check: each third-country or international-organisation transfer identifies the destination, recipient or recipient category, transfer mechanism or safeguard, and supporting document owner.
  • Retention check: each activity states the envisaged erasure time limit where possible and avoids unsupported entries such as indefinitely, as needed, or see policy.
  • Security check: each activity has a general description of relevant technical and organisational measures, such as access control, encryption, segregation, logging, backup, resilience, testing, or staff controls where actually used.
  • Availability check: the record is in writing, including electronic form, and can be exported as a readable standalone record if a supervisory authority requests it.
  • Update check: new products, vendors, data categories, recipients, transfer routes, retention changes, or security-control changes trigger a row update.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
GDPR Articles 30 and 32 support the transfer, erasure-time-limit, security-measure, written-record, and authority-access checks in this template.
European Commission - Standard Contractual Clauses
Commission SCC resources support documenting transfer safeguards where a RoPA row identifies third-country transfers that use standard contractual clauses.
Recommended next step

Use the template to produce controller and processor records

Sorena can help convert systems, vendors, products, and processing purposes into Article 30 rows with cited sources, owner assignments, retention fields, transfer fields, and evidence prompts.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about Article 30 fields, controller and processor roles, transfers, retention, and security measures using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your RoPA structure, source gaps, and evidence fields with Sorena.

Explore next step
Primary sources

References and citations

European Commission - Standard Contractual Clauses
commission.europa.eu
Referenced sections
  • Commission SCC resources support documenting transfer safeguards where a RoPA row identifies third-country transfers that use standard contractual clauses.
"Standard Contractual Clauses"
Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • GDPR Articles 30 and 32 support the transfer, erasure-time-limit, security-measure, written-record, and authority-access checks in this template.
"technical and organisational measures to ensure a level of security appropriate to the risk"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.