The Essential Guide to ROPA Compliance: Data Controllers vs. Data Processors provides a clear overview of the Records of Processing Activities (ROPA) requirements under data privacy regulations like the GDPR.

Ropa for Data Controllers  

Data controllers are required to maintain a record of the processing activities under their control. These records must contain certain required information outlined by the GDPR. Such information includes:  

• Name and contact details of the data controller  

• Where applicable, the name and contact details of the joint controller, the controller’s representative, and the data protection officer  

• Purposes of the processing activity  

• Description of the data subjects  

• Description of the categories of personal data involved  

• Type of recipient that the personal data will be disclosed  

Data controllers must also consider the requirement to include information relating to international data transfers to a third country or an international organization as well as records of the applicable safeguards that have been put in place. Further information to be included in a record of processing activities, where applicable, the predicted period of retention for different categories of data and the technical or organizational measures in place to ensure the security of the personal data.   

Ropa for Data Processors

In addition to the data controller, data processors must keep their records of processing activities. However, the information that data processors are required to maintain differs slightly from what a data controller will have to record. This includes:  

• Name and contact details of the processor or processors  

• Name and contact details of each data controller that the data processor is working on behalf of   

• Where applicable, the name and contact details of the data controller’s or the data processor’s representative, and the data protection officer  

• Types of processing activity carried out on behalf of each controller  

Similar to the requirements set out for data controllers, data processors must also include information relating to international data transfers to a third country, anticipated retention periods, and the security measures taken.