GDPR Article 30 — Records of Processing Activities: Complete Guide 2026

1. Who must maintain Records of Processing Activities?

The obligation to maintain Records of Processing Activities applies to every data controller under GDPR Article 30(1). Article 30(5) provides a limited exemption for organisations with fewer than 250 employees — but this exemption is far narrower than most SME owners assume.

The Art. 30(5) exemption applies only when all three conditions are met simultaneously: (1) the processing is not carried out regularly, (2) it does not include special categories of data under Art. 9 (health data, religious beliefs, trade union membership, etc.), and (3) it is unlikely to result in a risk to the rights and freedoms of data subjects.

In practice, almost all employers — regardless of headcount — must maintain RoPA because processing employee data (payroll, HR, social insurance) is by definition regular and systematic, which disqualifies them from the exemption. Similarly, any business operating a CRM, loyalty programme, or email marketing list processes customer data in a regular and systematic manner.

The SME exemption — when it applies

The Art. 30(5) exemption is realistically available only to sole traders with no employees who process personal data purely on an occasional basis — for example, a one-off consultancy engagement with a single client, no CRM, no email list, no website analytics. As soon as you hire even one employee or begin systematically collecting customer data, you fall outside the exemption. When in doubt, maintain the RoPA — the administrative burden is low and the compliance benefit is significant.

Organisation	RoPA required?	Example
Any employer (any size)	YES — employment data is regular and systematic processing	Any business with at least one member of staff
E-commerce / CRM users	YES — customer data management is systematic by nature	Online shops, B2B SaaS providers, subscription services
Micro-enterprise, no employees, occasional clients	POSSIBLY NOT — verify against Art. 30(5) criteria carefully	Solo freelancer with sporadic, one-off client engagements
Public authority or body	YES (always — no exemption applies)	Government departments, municipalities, public hospitals

2. What Art. 30(1) requires — mandatory elements

Article 30(1) GDPR sets out a specific list of information that controller RoPA must contain. Each element must be documented for every distinct processing activity — not once for the organisation as a whole. The following checklist covers all mandatory fields.

Name and contact details of the controller (and DPO if appointed) Full legal name, registered address, and contact details of the data controller; if a Data Protection Officer has been designated, their name and contact details must also be included
Purposes of the processing A specific, concrete purpose for each activity — e.g. "payroll administration", "order fulfilment and invoicing", "email marketing to opted-in subscribers". A generic entry such as "running the business" is insufficient and will be challenged by supervisory authorities
Categories of data subjects The types of individuals whose data is processed: employees, customers, prospective customers, website visitors, suppliers' contact persons, job applicants — each category listed separately where appropriate
Categories of personal data The types of data processed: name, email address, phone number, postal address, national ID number, bank account details, IP addresses, health data, etc. Special category data (Art. 9) must be explicitly identified
Categories of recipients (including processors) Any party to whom data is or may be disclosed: accountants, IT service providers, CRM vendors, payment processors, tax authorities, regulators. Cloud SaaS tools (Google Workspace, Salesforce, Mailchimp, etc.) must be listed here
Transfers to third countries and safeguards applied Where data is transferred outside the EEA (e.g. to US-based cloud services), the destination country and the transfer mechanism must be stated: adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or derogations under Art. 49
Envisaged time limits for erasure (retention periods) How long the data will be kept before deletion or anonymisation — e.g. "5 years from invoice date" (accounting records), "duration of employment plus 10 years" (payroll records), "until consent is withdrawn" (newsletter subscribers)
General description of technical and organisational security measures A high-level description of the safeguards in place: encryption at rest and in transit, access controls, password policies, regular backups, staff training, physical security. A brief paragraph per activity is sufficient — it does not need to be a full security audit
Legal basis for the processing The applicable lawful basis from Art. 6(1): consent (a), contract (b), legal obligation (c), vital interests (d), public task (e), or legitimate interests (f). For special category data, the basis from Art. 9(2) must also be stated
Sub-processors (where applicable) If the controller uses data processors who in turn engage sub-processors, these must be identifiable in the record. Contracts with all processors under Art. 28 GDPR are a prerequisite — the RoPA entry should reflect the processor chain

Records must be in writing (electronic is fine)

Article 30(3) GDPR explicitly requires that RoPA be maintained in writing, including in electronic form. A verbal assurance that "we know what we process" carries no legal weight. The record must be available for inspection by the supervisory authority on request — which means it must be accurate and up to date at the time of any inspection, not reconstructed afterwards.

3. Practical RoPA template

The table below shows a worked example of a RoPA for a small business with employees and a customer base. Each row represents a distinct processing activity. Real RoPA entries should be more detailed than shown here — the table is condensed for readability.

Activity	Purpose	Data subjects	Data categories	Legal basis	Recipients	Retention
HR / Payroll	Employee administration, salary calculation, social insurance filings	Employees, former employees	Name, national ID, address, bank account, salary, health data (sick leave)	Art. 6(1)(c) legal obligation; Art. 9(2)(b) employment law	Payroll bureau, tax authority, social insurance agency	10 years from end of employment (payroll records)
Customer management	Order fulfilment, invoicing, after-sales support, contract management	Customers, business contacts	Name / company name, VAT ID, address, email, phone, transaction history	Art. 6(1)(b) contract; Art. 6(1)(c) legal obligation (invoicing)	Accountant, IT provider (CRM hosting), payment processor	5 years from invoice date (accounting records)
Email marketing	Sending newsletters, product updates, and promotional offers to opted-in subscribers	Newsletter subscribers, website visitors	Email address, first name, open/click behaviour, IP address (cookies)	Art. 6(1)(a) consent (subscribers); Art. 6(1)(f) legitimate interests (existing customers)	Email service provider (e.g. Mailchimp — US transfer via SCCs)	Until consent withdrawn or 3 years from last engagement

One entry per distinct processing activity

A typical SME will have between 5 and 20 processing activities in its RoPA — HR, customer management, supplier management, email marketing, website analytics, CCTV (if applicable), recruitment, IT security monitoring, and so on. Each activity with a distinct purpose warrants its own entry. Do not collapse everything into a single row labelled "business operations" — supervisory authorities treat such entries as non-compliant.

4. Processor records under Art. 30(2)

If your organisation processes personal data on behalf of other organisations (i.e. as a data processor rather than a controller), you are required to maintain a separate register under Article 30(2). This is a different document from the controller's RoPA and has different required content.

The processor's record must include: the name and contact details of each controller on whose behalf you act; the categories of processing carried out for each controller; any transfers of data to third countries and the safeguards applied; and a general description of the technical and organisational security measures.

Notably, processors are not required to document the purposes of the processing — that is the controller's responsibility. However, the processor must ensure it only processes data in accordance with the controller's documented instructions (Art. 29 GDPR).

Who is a data processor?

A payroll bureau or accountancy firm that administers HR data for client companies is a processor. A law firm storing client documents is a processor. An IT managed services provider with access to client systems and databases is a processor. A SaaS company hosting customer data on behalf of its subscribers is a processor. In each case, a Data Processing Agreement (DPA) under Art. 28 GDPR is required with each controller, and the processor's Art. 30(2) record must list all controller relationships.

5. Keeping records current

RoPA is a living document. An outdated record is almost as problematic as no record at all — it can mislead a supervisory authority about the actual scope of processing and suggests that data governance is not taken seriously. The following five steps form a practical maintenance routine.

Review at each new service or IT system deployment

Every time your organisation adopts a new software tool — a new CRM, accounting platform, HR system, email marketing service, or analytics solution — check whether it involves processing personal data. If it does, add or update the relevant RoPA entry before the system goes live. This is the single most effective habit for keeping records accurate.

Update when sub-processors or suppliers change

Changing your accountant, IT provider, email service, or cloud hosting supplier requires updating the "recipients" and "processors" fields in your RoPA. The outgoing processor must also delete or return all personal data in accordance with Art. 28(3)(g) GDPR. Document the deletion confirmation and keep it on file.

Verify retention periods annually

At least once a year, check that the retention periods stated in your RoPA reflect both the legal requirements in your sector and your actual deletion practices. A retention period that looks correct on paper but is not enforced in practice is itself a GDPR violation — the RoPA entry and the operational reality must be consistent.

Update for legal and regulatory changes

Changes in employment law, sector-specific regulations, or updated guidance from supervisory authorities can affect the legal bases or retention periods applicable to certain processing activities. Monitor legislative developments relevant to your industry and update affected RoPA entries promptly — particularly those relying on Art. 6(1)(c) legal obligation.

Conduct a full audit of the RoPA once a year

Schedule an annual review of the entire record. Are all current processing activities documented? Have any activities ceased and need to be archived? Have new activities started since the last review? Date each update — supervisory authorities sometimes ask about the history of amendments, and a dateless record raises questions about how actively it is maintained.

6. Common errors and gaps

Based on enforcement decisions from EU supervisory authorities and EDPB guidance, the following errors are the most frequently identified deficiencies in SME RoPA records.

Missing or incorrect legal basis Entries that state no legal basis, or rely on "legitimate interests" without a balancing test, or cite "contract" for processing that actually requires consent. Each activity must reference a specific provision of Art. 6(1) — and Art. 9(2) where special category data is involved
Stale retention schedules Retention periods that were set at the time the RoPA was created and never reviewed. Legal retention requirements change — particularly in employment law, accounting, and regulated sectors — and the RoPA must reflect current obligations, not those that applied years ago
Processors and sub-processors not listed Cloud services, SaaS tools, and outsourced functions routinely omitted from the "recipients" column. Google Workspace, AWS, Stripe, Mailchimp, Slack — all involve personal data processing and must appear in the record, along with whether they involve transfers outside the EEA
A single generic entry instead of per-activity entries One row for "customer data" or "employee data" instead of separate entries for each distinct purpose. HR payroll, HR recruitment, disciplinary records, and absence management are four distinct processing activities — each requiring its own entry
No description of security measures Art. 30(1)(g) requires a general description of security safeguards, but this section is frequently left blank. A brief summary — encryption, access controls, password policy, backups, staff training — satisfies the requirement and demonstrates accountability
Unmapped SaaS tools and shadow IT New software adopted by individual teams without going through a formal procurement or privacy review process. Marketing adopts a new analytics tool, Sales starts using a new prospecting platform — and neither appears in the RoPA. Regular software audits are the only reliable way to catch these

7. Fines and enforcement

Supervisory authorities across the EU have broad powers to investigate, correct, and sanction non-compliance with GDPR record-keeping requirements. Fines for RoPA violations fall under Article 83(4) GDPR, with a separate — and higher — tier for obstructing investigations.

Violation	Maximum fine
No RoPA maintained at all	€10 million or 2% of total worldwide annual turnover — whichever is higher
Incomplete or inaccurate RoPA	€10 million or 2% of total worldwide annual turnover — whichever is higher
Refusing to provide RoPA to supervisory authority	€20 million or 4% of total worldwide annual turnover — whichever is higher (obstructing investigation under Art. 83(5))

Supervisory authorities can request RoPA at any time — not just after a complaint

Under Art. 58(1)(a) GDPR, supervisory authorities have the power to order controllers and processors to provide any information required for the performance of their tasks — and this expressly includes RoPA. Authorities exercise this power proactively, not only following complaints or data breaches. Controllers should be able to produce a complete, current RoPA within a matter of days. A record that needs to be "reconstructed" after receiving a request will attract additional scrutiny.

It is also worth noting that RoPA deficiencies are frequently identified alongside other violations — a missing or inaccurate record often signals broader data governance failures. In practice, supervisory authorities treat RoPA compliance as a proxy for the organisation's overall GDPR maturity. A well-maintained record can mitigate penalties for other violations by demonstrating good-faith accountability efforts; an absent or outdated record will aggravate them.

8. Online tool: rodo.saaslab.pl

RODO Register is an online tool designed for SMEs that need to maintain GDPR-compliant Records of Processing Activities without legal or technical complexity. It guides you through each required field and keeps your record current as your organisation changes.

Set up your controller profile

Sign in with Google, enter your organisation's details (legal name, address, registration number) and, if applicable, your Data Protection Officer's contact information. These details are automatically included in every RoPA entry and in the PDF export — no need to repeat them for each activity.

Add processing activities one by one

For each activity, complete the guided form: purpose, data subject categories, data categories, legal basis, recipients, third-country transfers, retention period, and security measures. The tool suggests typical values for common activities (HR, customer management, email marketing) so you are not starting from a blank page. Each field maps directly to the Art. 30(1) requirements.

Keep your record up to date

Every change is saved with a timestamp — giving you a full revision history that you can show to a supervisory authority if asked how your RoPA has evolved. Add, edit, or archive activities as your business changes. The tool flags entries that have not been reviewed in over twelve months, prompting you to confirm they are still accurate.

Export a PDF report for your supervisory authority

With one click, export your complete RoPA as a professionally formatted PDF — including all activities, your controller details, and the date of last update. The document is ready to send to your supervisory authority on request, share with clients requiring evidence of your GDPR compliance, or attach to a Data Processing Agreement.

Maintain your GDPR Records of Processing Activities online

RODO Register is a tool for SMEs — maintain RoPA online, track processing activities and export a PDF report for your supervisory authority.

Start your RoPA online — free →

Free plan up to 5 activities. No credit card required.

GDPR Article 30 — Records of Processing Activities (RoPA): Who Needs Them and What They Must Contain