Back to Privado blog

How to Fulfill GDPR Article 30 Requirements

Vaibhav Antil, CIPM
March 11, 2021

One of the essential documentation requirements for GDPR is to maintain a Records of Processing Activity Report or GDPR Article 30 Report, also known as ROPA Report.

The rationale behind this report is that it forces you to define key business processes where data is being processed to achieve a goal or purpose and then evaluate what data you collect, international transfers and if you have appropriate technical and organisational measures to protect data. GDPR Article 30 Report can be extended to find out if each process is compliant with GDPR’s 7 principles of data processing.

What is the GDPR Article 30 Report?

Article 30 of GDPR states that each controller and processor must maintain a Records of Processing Activity report, which clearly states the processing activities, data collected, purposes, international transfers, technical & organisational measures. This is one of the reports that a regulator refers to see if your business is compliant and if the report was up to date or not. Honestly, an updated Article 30 report states that you have a good privacy and GDPR compliance program in your company. You have complete oversight of why what and where data is processed in your company.

Exemptions for GDPR Article 30 Report:

For businesses with less than 250 employees, you do not need to maintain this report. Please note that you only qualify for this exemption if you are processing data:

  1. That does not result in a risk to the rights and freedoms of the data subject
  2. That is occasional; this means most internet businesses will not get the exemption
  3. That does not include special category data or criminal offences data

If you are more than 50 employees, we recommend you to start creating the GDPR Article 30 report in spreadsheets and later automate once you are big and manual processes become unmanageable. 

Format of GDPR Article 30 Report:

The report should be in writing, including electronic format. 

How to create a GDPR Article 30 Report:

The most comprehensive way to create GDPR Article 30 Report is by doing a data mapping. Read our definitive guide on GDPR data mapping for details on how to implement data mapping in your organisation. Here is a summarised view of the same:

  1. Make an internal case with management on benefits of the Article 30 report and potential fines in case of not having one.
  2. Start interviews with VP/Directors of various business units to define key processing activities.
  3. Send assessments to these stakeholders to collect information for the GDPR Article 30 report.
  4. You will find some gaps like not having a retention schedule, create a plan to remediate these gaps.
  5. Your Article 30 report is not a point in time exercise; it should be updated. For example, a new feature is added, ensure that it is a part of your GDPR Article 30 Report.
  6. You can leverage our GDPR Article 30 Templates to collect this information and automate these manual workflows.

How to ensure your GDPR Article 30 Report is up to date

Companies are dynamic, and your employees will change the processes by collecting more data, finding new uses of it, releasing new features or adding more vendors. This means your GDPR Article 30 report will become outdated if you do not proactively work on it. We recommend the following steps:

  1. Have a review process with stakeholders of processing activities. For high-risk processes, follow a quarterly review process. For medium risk, a bi-annual review can do, and for procedures with low risk, an annual review can work.
  2. Sync PIAs/DPIAs with Article 30 Report. Whenever new features or processes are proposed, you should do a Privacy Impact Assessment and, in some cases, Data Protection Impact Assessment. These assessments should update your GDPR Article 30 report.
  3. Vendor Management should ensure new vendors are part of your GDPR Article 30 report and new use cases of vendors are captured.

You can use our built-in powerful automations to run these review assessments with stakeholders and sync PIA’s/DPIA’s and vendor assessments with GDPR Article 30 Reports.

GDPR Article 30 - ROPA Report

GDPR Article 30 Report for a Controller:

  1. Each controller and, where applicable, the controller’s representative shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
  2. The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  3. The purposes of the processing;
  4. A description of the categories of data subjects and of the categories of personal data;
  5. The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
  6. Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  7. Where possible, the envisaged time limits for erasure of the different categories of data;
  8. Where possible, a general description of the technical and organisational security measures referred to in Article 32(1)

GDPR Article 30 Report for a Processor:

  1. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
  2. The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
  3. The categories of processing carried out on behalf of each controller;
  4. Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  5. Where possible, a general description of the technical and organisational security measures referred to in Article 32(1)
Vaibhav is the founder of privado.ai and a CIPM certified privacy professional.

Subscribe to privado newsletter

Get updates, articles and resources related to data privacy.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.