To help you start creating your records of processing activities we have prepared GDPR compliant Records of processing activities templates with predefined categories of data that you need to keep track of, for three different industries:
• BANKING
• TELECOMMUNICATION
• RETAIL
However, this article should be helpful, regardless the industry.
What is the Record of Processing Activities?
Art. 30 of the GDPR General Data Protection Regulation (GDPR) requires written documentation of procedures concerning personal data you process within your company. It demands that the records need to be in writing, including in the electronic form.
Records of processing activities (ROPA) should answer questions like:
• how are you processing data?
• why are you processing data?
• what kind of data you are processing?
• where is the processing taking place?
•who are you disclosing the data to?
We need to remind you that these Records of processing activities templates are just a starting point to get you going.
We talked about why an Excel sheet is not a perfect way to keep the Records of processing activities.
However, just to be sure you know what are the disadvantages, we refer you to read our blog:
Does Your Company Need to Keep Records of Processing Activities?
First things first. Let’s answer the qualification question. Are you even obligated to keep the Records?
You have to keep Records of processing activities if your company has 250 or more employees.
There is an exception for small and medium-sized companies with fewer than 250 employees, they will be obligated to keep the records if:
• processing is not occasional (processing is not a one-time occurrence)
• the processing is likely to pose a risk to the rights and freedoms of the data subject
• processing involves a special category data or criminal conviction data
Special Categories of Data according to the GDPR
Article 9 of the GDPR states that:
“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”
However, since most of the companies are under some national obligation that makes personal data processing mandatory, your company is most likely obligated to keep Records of processing activities.
Keep in mind, Records of processing activities will be a starting point for audit by the supervisory authority.
We have discussed this in one of our blogs:
How to Start with the Records of Processing Activities?
First, you need to discover personal data processing within your organization and document data categories and systems where they are processed. we have discussed this in our blog:
![Why is Data Discovery important for compliance? [Infographic]](https://no-cache.hubspot.com/cta/default/5699763/f983e5f4-fd26-4316-8d4b-041b43c78b34.png)
To do it properly, you should engage other departments. Specifically engage with colleagues from data-driven departments like marketing, HR and legal and your IT. Also, include core business (products, services) departments whose business model relies on data processing.
Determining your role in processing activity
Determine and document your role for each processing activity. You can be a processor in some activities and a controller in others, so make sure you are aware of your responsibilities in each role.
The deciding factor will be the control of the data, rather than possession. So if you are determining how and why you are collecting data you are a controller and your obligations under the GDPR will be greater.
Controller means the natural or legal person, public authority, agency or other bodies which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Controller is held accountable for data processing done by the processor and needs to ensure there are agreements, contracts and other measures to ensure the GDPR compliant personal data processing done by the data processor.
Processor means a natural or legal person, public authority, agency or other bodies which processes personal data on behalf of the controller.” (Article 4, definitions). Data Processor is responsible for creating and implementing processes that enable the data controller to gather data, store the data, and transfer it if necessary.
A joint data controller means that your organization, together with one or more organizations, jointly determines ‘why‘ and ‘how’ personal data should be processed.
Difference between Data Controller and Data Processor
✅ Data Controller determines the purpose and the meaning of data processing, not the Processor
✅ Data Processor acts on Data Controller instructions, and although can make a certain decision about the way the processing will be done, he has limited control over data
✅ Data Processor has no reason to process that particular set of data on his own
✅ Data Processor and Data Controller have a different set of responsibilities
Information You Should Include in Your Records
•Processing activity name
•Data subjects’ categories
•Data categories
•Purpose of processing
•Data retention period
•Processing activity details
•Data receiver
•Security measures
•External systems
•Owner name
Required form of Records of processing activities
The Records of processing activities have to be in writing, including in electronic form, and remember, it holds value only if you keep it up to date.
There are a few more things you should take into account. Departments need to be able to cooperate, and there needs to be usability for the departments, as well as availability and integrity of procedural information.
Records of Processing Activities example
The following information is the legally required minimum requirements, which need to be available to the supervisory authority on request. (Article 30(4) of the GDPR).
Document the required information about your company.
| Data Controller
| |||||
| Name and contact details
| Data Protection Officer (if applicable) | Representative (if applicable) | |||
| Name | Name | Name | |||
| Address | Address | Address | |||
| Telephone | Telephone | Telephone | |||
If you are looking for a template to start keeping your Records of Processing Activities, any of the following ones should be sufficient as your starting point.
Records of processing activities: Credit example in a bank
| Processing activity name | Credit approval |
| Data subjects categories | Clients |
| Data categories | Identification data; Ownership data |
| Lawful basis | Contract |
| Purpose | A loan collateral |
| Data retention period | 11 years |
| Data controller | Company A |
| Processing activity details | We collect information from the client into the insurance application depending on the type of insurance policy. After that, we print out the client’s offer after the signature is scanned and placed as an integral part of the loan file. These documents are sent for processing to Risk. |
| Data processor | |
| Data receiver | FINA (HR) |
| Security measures | Pseudonymization, Access control, Encryption od data |
| External systems | Core banking system |
| Owner name | John Williams, Head of Finance |
Download Records of processing activities template for the Banking industry
Records of processing activities: Marketing example in a Telecommunications company
| Processing activity name | Newsletter |
| Data subjects categories | Marketing contacts, Clients |
| Data categories | Contact data, Personal contact data |
| Lawful basis | Consent |
| Purpose | Notifying customers about products and services |
| Data retention period | 1 year |
| Data controller | Company A |
| Processing activity details | Records of Processing Activities for Marketing activities to existing and potential customers |
| Data processor | Marketing cloud service provider (HU) |
| Data receiver | FINA (HR) |
| Security measures | Pseudonymization, Access control |
| External systems | Analytics system, CRM, Data Warehouse, Salesforce, ERP |
| Owner name | Joanna Smith, Head of Marketing |
Download Records of processing activities template for the Telecommunication industry
Records of processing activities: HR example in a Retail company
| Processing activity name | Working hours record |
| Data subjects categories | Employees |
| Data categories | SAP ID Time and stay information |
| Lawful basis | Legal obligations |
| Purpose | Recording the time an employee spends in a particular workplace space |
| Data retention period | Until work contract is no longer valid, expired, or an employee stopped working for the company |
| Data controller | Company A |
| Processing activity details | Employees use access cards with which they can enter the premises in accordance with the assigned access rights. Cards also record passing/retention times and are used to record employee attendance and time spent at work. This information is later used in the calculation of salary. |
| Data processor | SAP EXOR |
| Data receiver | Data Link |
| Security measures | Pseudonymization, Access control |
| External systems | ERP |
| Owner name | Marie Johnson, Head of HR |
Download Records of processing activities template for Retail
Software for Managing the GDPR-compliant Processing Records
There are more than a few things you need to take into consideration when deciding on the criteria for suitable software to support your GDPR activities and the Records of processing activities.
The software must provide:
• Central management
• Connectivity with other systems
• Proper collaboration through all organizational units
• DPO control panel and segregation of ownership of activities
• Tracking changes on data and demonstrating history
• Automated data removal
Once you have linked your Records of Processing activities to the software, you are ready to start working on this living document and keeping the personal data your company/organization holds/stores/processes. Make sure it stays accurate and up to date.
