A Record of Processing Activities (ROPA) is an internal document. It helps in creating an overall picture of the processing of personal data and is used to demonstrate that the personal data is being processed in accordance with data protection legislation. It is an integral part of demonstrating the organization’s accountability towards data protection and privacy.
Controllers and Processors are required to maintain a record of its processing activities. Obligation to draw up ROPA is a mandatory requirement under GDPR (Article 30), DIFC Data Protection Law, (Section 15) ADGM Data Privacy Law (Section 28) and is required under EU Member State Specific Laws as well.
The following details should be contained in ROPA:
- The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer;
- The purposes of the processing;
- A description of the categories of data subjects and of the categories of personal data;
- The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
- Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, the documentation of suitable safeguards;
- Where possible, the envisaged time limits for erasure of the different categories of data;
- Where possible, a general description of the technical and organizational security measures
While controllers are obligated to maintain a ROPA, processors are required to maintain a ROPA for the following details:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, the documentation of suitable safeguards;
- where possible, a general description of the technical and organizational security measures
Details of the ROPA has to be in writing and it can be maintained in an electronic form. Organizations are required to make ROPA available to supervisory authorities on request.
Click here to know more about ROPA and other privacy compliance requirements.
Disclaimer: This blog is the copyright of Reina Consulting LLP. It is not intended to be a form of solicitation or advertising. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is viewed or that it will continue to be accurate thereafter. No person should act on such information without appropriate professional advice based on the circumstances of a particular situation. This information is not to be considered as legal advice or opinion and the firm shall not be liable for any action taken by the user, directly or indirectly, on the basis of such material.