WorkflowEU GDPR

Article 30 RoPA Intake Workflow

Collect the fields Article 30 expects for records of processing activities before a new product, supplier, system, or data use is approved.

Use the intake to separate controller and processor records, assign process owners, document recipients and transfers, state retention, and describe security measures in a self-explanatory record.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

This workflow is for GDPR Article 30 Records of Processing Activities intake. It turns a proposed processing activity into a RoPA-ready record by collecting the mandatory controller or processor fields, the supporting owner evidence, and the checks needed for transfers, retention, and security measures.

Section 1

Intake trigger and minimum record

Open a RoPA intake whenever a team creates, changes, or retires a processing activity that uses personal data. The intake should start before release, supplier onboarding, campaign launch, system migration, or material data-flow change so the Article 30 record can be updated while facts are still available from the teams making the change.

The first triage is the role. If the organisation determines the purposes and essential means of the processing, collect the controller record. If it processes personal data on behalf of another controller, collect the processor record for each controller. If purposes and means are determined jointly with another party, record the joint-controller details and the allocation of responsibilities separately.

  • Create one intake row per processing activity or sub-activity, not one broad row for an entire department.
  • Name the business function, process owner, system owner, evidence owner, and approving privacy or legal reviewer.
  • Record whether the row is controller, joint-controller, processor, or sub-processor processing, with the factual reason for that role.
  • Mark which fields are prescribed by Article 30 and which fields are helpful extras such as lawful basis, risk rating, DPIA reference, breach history, or transfer mechanism.
  • Require a current, exportable record in writing or electronic form that can be made available to the supervisory authority on request.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 30 requires written records of processing activities for controllers and processors and lists the minimum fields for each role.
Irish Data Protection Commission - Records of Processing Activities under Article 30 GDPR
DPC RoPA guidance supports granular, business-function-based records, organisation-wide owner input, and a self-contained RoPA rather than scattered linked documents.
EDPB Guidelines 07/2020 on controller and processor concepts
EDPB role guidance supports determining whether an actor is a controller, processor, or joint controller by looking at the specific processing and who determines purposes and means.
Section 2

Controller and joint-controller intake fields

For controller records, the intake must capture the controller identity and contact details, and where applicable the joint controller, controller representative, and data protection officer. The row should then describe the purpose, the categories of data subjects, the categories of personal data, the categories of recipients, transfers to third countries or international organisations, retention, and a general description of Article 32 security measures.

Do not accept entries such as personal data, internal, as per policy, or appropriate security. The record should be understandable to an external reader without opening internal drives or reconciling multiple documents. If a linked policy is needed for more detail, the intake still needs the actual retention period or criteria and the security measures summary in the RoPA row.

  • Purpose: state the concrete purpose, such as staff payroll, user account provisioning, customer support, fraud review, or marketing consent management.
  • Data subjects and data: split categories where the activity treats groups or data types differently, for example employees, contractors, customers, prospects, children, health data, bank details, identifiers, support messages, or logs.
  • Recipients: name recipient categories and material external recipients; distinguish separate controllers, processors, sub-processors, public authorities, and internal access groups.
  • Transfers: identify each third country or international organisation and the transfer basis or safeguard evidence used for that transfer.
  • Retention: state the time limit for each data category where possible, or the criteria used to determine it when a fixed period is not possible.
  • Security measures: describe practical measures such as access controls, authentication, encryption, restricted admin roles, secure transfer, logging, backup, staff training, and incident handling where they apply to the activity.
  • Joint controllers: attach the arrangement or owner note showing who handles rights requests, Article 13 and 14 notices, security measures, breach coordination, DPIAs where relevant, transfer decisions, and supervisory-authority contacts.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 30(1) lists the controller record fields for purposes, data subjects, personal data, recipients, transfers, erasure time limits, and security measures.
Irish Data Protection Commission - Records of Processing Activities under Article 30 GDPR
DPC examples identify insufficient RoPA answers such as generic personal-data categories, policy-only retention references, and vague security-measure labels.
EDPB Guidelines 07/2020 on controller and processor concepts
EDPB guidance supports documenting joint-controller responsibility allocation and distinguishing essential means from implementation choices.
Section 3

Processor intake fields and owner evidence

For processor records, intake starts with the processor, each controller on whose behalf the processing is performed, and any applicable representatives or DPOs. The processor row should then state the categories of processing carried out for each controller, any third-country or international-organisation transfers, and the general Article 32 security measures.

The evidence package should let the controller and processor prove that the row reflects current processing. Store the processing agreement or instruction reference, sub-processor approval status, data location, transfer description, retention or deletion/return instruction, security-measure summary, and audit or information-sharing contact.

  • Controller link: identify each controller separately instead of merging customers into one vague processor row.
  • Instruction evidence: cite the contract, order form, documented instruction, or service description that authorises the processing category.
  • Sub-processing: record any sub-processor involvement, location, processing function, and written authorisation or objection workflow.
  • Data location and transfers: record where processing occurs, whether a third-country transfer happens, and which safeguard package or adequacy route supports it.
  • Termination and retention: record whether data is deleted or returned at the controller's choice and how existing copies are handled.
  • Demonstration evidence: keep the relevant portions of processor RoPA, security measures, access model, retention implementation, transfer list, and audit-support contact available for controller review.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 30(2) lists processor record fields, and Article 28 requires processing on documented controller instructions under a binding written arrangement.
EDPB Guidelines 07/2020 on controller and processor concepts
EDPB guidance supports processor intake evidence for instructions, security measures, retention, data location, transfers, recipients, sub-processors, and audit information.
Irish Data Protection Commission - Records of Processing Activities under Article 30 GDPR
DPC RoPA guidance recommends processors start with each controller and then break down the processing categories for that controller.
Section 4

Transfer, retention, and security gates

The RoPA intake should block closure until transfers, retention, and security are described at the same level of specificity as the processing purpose. These fields often expose whether the record is useful: a row that says yes for a third-country transfer but does not identify the country, recipient role, safeguard, or transfer mechanism is not ready.

For SCC-based transfers, keep the transfer description aligned with the SCC appendix evidence: parties and roles, purposes of the transfer, categories of data, retention period or criteria, security measures, and any supplementary safeguards or transfer impact assessment evidence. For security, describe measures that map to the activity rather than a generic statement that controls exist.

  • Transfer gate: country or international organisation named; recipient role identified; adequacy, SCC, binding corporate rules, derogation, or other Chapter V route recorded with evidence.
  • SCC gate: appendix fields and Annex II security measures are current when parties, roles, transfers, or technical and organisational measures change.
  • Retention gate: each data category has a fixed time limit where possible, or documented criteria such as statutory requirement, contract duration, claim limitation, or deletion event.
  • Security gate: security owner confirms access control, authentication, encryption or secure transfer, logging, backup, incident response, staff training, and deletion controls that apply to the processing.
  • Owner gate: privacy, process owner, system owner, vendor owner, and security owner approve the row or record the unresolved gap before launch.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
GDPR Article 30 links RoPA fields to transfers, erasure time limits, and Article 32 technical and organisational security measures.
European Commission - New Standard Contractual Clauses Questions and Answers
Commission SCC Q&A supports transfer appendix evidence, updates when parties are added, transfer impact assessment documentation, and separate retention descriptions by data category.
ENISA Handbook on Security of Personal Data Processing
ENISA security guidance supports concrete access-control, authentication, encryption, policy, training, and risk-based security-measure descriptions.
Section 5

Closeout checks before the RoPA row is accepted

Close the intake only when the row can stand on its own. A privacy reviewer should be able to read the row and understand who controls or processes the data, why the data is used, what data and people are affected, who receives it, where it goes, how long it remains, and which security measures protect it.

Reopen the intake when a processing purpose changes, a new category of data subject or personal data is added, a recipient or sub-processor changes, a transfer destination or mechanism changes, a retention rule changes, a security measure materially changes, or a processing activity is retired.

  • No vague catch-all fields remain, including personal data, internal, as per retention policy, GDPR compliant, processor agreement, or appropriate security without detail.
  • The controller or processor distinction is supported by facts about purposes, essential means, documented instructions, and party roles.
  • The owner map shows who can change the process, who can change the system, who owns the contract or supplier relationship, and who can produce the evidence.
  • Transfer, retention, and security fields are reviewable without access to private internal file paths.
  • Obsolete processing rows are marked retired or archived for accountability rather than silently deleted from the live record.
Sources for this answer
Irish Data Protection Commission - Records of Processing Activities under Article 30 GDPR
DPC guidance supports maintaining RoPA as a living document, avoiding insufficient generic fields, and keeping records self-contained and ready to provide on request.
Regulation (EU) 2016/679 (GDPR)
Article 30(4) requires records to be made available to the supervisory authority on request.
EDPB Guidelines 07/2020 on controller and processor concepts
EDPB guidance supports reopening role analysis when the facts about purposes, essential means, or instructions change.
Recommended next step

Use this workflow to make new processing activities RoPA-ready

Sorena can help convert product, supplier, and system-change facts into Article 30 records with owner evidence, transfer checks, retention fields, and security-measure summaries.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about Article 30 RoPA fields, controller and processor roles, transfers, retention, and evidence.

Explore next step
Talk to Sorena
Talk through GDPR RoPA intake implementation

Review your RoPA intake fields, owner evidence, and unresolved source gaps with Sorena.

Explore next step
Primary sources

References and citations

ENISA Handbook on Security of Personal Data Processing
enisa.europa.eu
Referenced sections
  • ENISA security guidance supports concrete access-control, authentication, encryption, policy, training, and risk-based security-measure descriptions.
"Security of Personal Data Processing"
Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Article 30(4) requires records to be made available to the supervisory authority on request.
"available to the supervisory authority"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.