EuroComply
Créer un compte
GDPR · runs in browser · no data retained

GDPR ROPA Generator

Build your Article 30 Record of Processing Activities. Enter your processing activities, lawful bases and retention periods — then download as Markdown. No signup, no data sent to servers.

Controller details

Activity 1

Get GDPR enforcement and deadline updates by email

What must a GDPR ROPA include?

A GDPR Article 30 Record of Processing Activities (ROPA) must list: the controller identity, purpose of each processing activity, the lawful basis, categories of data and data subjects, recipients, retention periods, international transfers, and security measures. Controllers with 250 or more employees must maintain a ROPA; smaller organisations must do so if processing is not occasional, involves special categories, or could result in risk to individuals.

  • Controller name and contact details — and DPO contact where appointed
  • Purposes of processing for each activity
  • Lawful basis under Article 6 (and Article 9 for special categories)
  • Categories of personal data and data subjects
  • Categories of recipients, including processors
  • Transfers to third countries and transfer mechanism (SCCs, adequacy, DPF)
  • Retention periods or criteria for determining them
  • Security measures — encryption, access controls, pseudonymisation
Source: Regulation (EU) 2016/679 (GDPR), Article 30Reviewed:

Who must maintain a ROPA?

Article 30(5) GDPR requires all organisations with 250 or more employees to maintain a ROPA. Smaller organisations must also maintain one if their processing is not occasional, involves special-category data or criminal conviction data, or could result in a risk to the rights and freedoms of individuals. In practice, most DPAs expect all data-processing organisations to maintain one.

Processors (Article 30(2)) must maintain a separate ROPA listing: the processor identity, all controllers on whose behalf they process, categories of processing, and security measures.

This tool generates a draft template — it does not constitute legal advice. Review your ROPA with a qualified DPO or data protection counsel before relying on it. Editorial policy. Last reviewed: .