A Record of Processing Activities (ROPA) is an internal document. It helps in creating an overall picture of the processing of personal data and is used to demonstrate that the personal data is being processed in accordance with data protection legislation. It is an integral part of demonstrating the organization’s accountability towards data protection and privacy.
Controllers and Processors are required to maintain a record of its processing activities. Obligation to draw up ROPA is a mandatory requirement under GDPR (Article 30), DIFC Data Protection Law, (Section 15) ADGM Data Privacy Law (Section 28) and is required under EU Member State Specific Laws as well.
The following details should be contained in ROPA:
- The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer;
- The purposes of the processing;
- A description of the categories of data subjects and of the categories of personal data;
- The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
- Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, the documentation of suitable safeguards;
- Where possible, the envisaged time limits for erasure of the different categories of data;
- Where possible, a general description of the technical and organizational security measures
While controllers are obligated to maintain a ROPA, processors are required to maintain a ROPA for the following details:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, the documentation of suitable safeguards;
- where possible, a general description of the technical and organizational security measures
Details of the ROPA has to be in writing and it can be maintained in an electronic form. Organizations are required to make ROPA available to supervisory authorities on request.
Click here to know more about ROPA and other privacy compliance requirements.
Disclaimer: This Blog is made available for informational purposes. It provides general information and a general understanding, but does not provide specific advice. The Web Site should not be used as a substitute for any competent advice.