Overview#
Every organisation that processes personal data must keep a written register of its processing activities, and a supervisory authority can demand it at any moment. The Records of Processing Activities (RoPA) module turns that legal obligation into a machine-maintained controller register that is always current, fully auditable, and ready to hand over.
Under GDPR (EU 2016/679) Article 30, controllers must document the purpose, lawful basis, data subject and data categories, recipients, third-country transfers, retention periods, and security measures for each processing activity. Done by hand, this register lives in spreadsheets that drift out of date the moment a new feature is configured. The RoPA module folds register upkeep into the platform itself: new processing activities are recorded through the same interface used to configure capabilities, high-risk entries are flagged automatically for a Data Protection Impact Assessment, and a one-click CSV export produces the exact evidence pack an inspector expects. Data Protection Officers move from chasing stale documents to maintaining a living record they can defend.
Key Features#
- Complete Article 30 Field Set: Each record captures every mandatory field, including lawful basis, data subject categories, data categories, recipients, retention period, security measures, controller name, and Data Protection Officer contact, so no required element is ever missing
- Automatic DPIA Flagging: The service marks a record as requiring a Data Protection Impact Assessment the moment it touches high-risk categories such as biometric, genetic, health, criminal record, racial or ethnic origin, political opinion, religious belief, trade union membership, sex life, or data relating to children
- Lawful Basis Validation: Every activity is recorded against a recognised Article 6 lawful basis (consent, contract, legal obligation, vital interests, public task, legitimate interests, or a law enforcement basis), with invalid values rejected at creation
- Third-Country Transfer Safeguards: Records flag transfers outside the European Economic Area and capture the safeguard relied upon, whether Standard Contractual Clauses or an adequacy decision reference
- Sub-Processor and Joint Controller Tracking: Capture the names of processors and any joint controller arrangements alongside each activity, giving a full picture of who else touches the data
- DPIA Linkage: Once a Data Protection Impact Assessment is carried out, the matching assessment is tied directly to the processing activity so the two records stay connected for audit
- One-Click Article 30 Export: Render the full tenant register as a structured CSV that matches the Article 30 register format expected by supervisory authorities during an inspection or breach investigation
- Strict Tenant Isolation: Every read, write, and export is scoped to the authenticated user's organisation, so one tenant's register is never visible to another
Use Cases#
Law Enforcement Agencies#
Police and investigative bodies process special category and criminal-record data under a law enforcement lawful basis. The register documents each policing activity, automatically flags the high-risk processing that demands a DPIA, and keeps the controller and Data Protection Officer details inspection-ready for the relevant oversight authority.
Healthcare Providers#
Hospitals and clinics process health data at scale. The module records each clinical and administrative processing activity, flags health and genetic data for a DPIA, and documents retention periods and security measures so the register withstands regulator scrutiny.
Government Departments#
Public bodies acting under a public task basis must account for every citizen-facing process. The register captures purpose, recipients, and retention for each activity and produces the evidence pack an oversight authority expects, without a separate documentation exercise.
Enterprises and Their DPOs#
Data Protection Officers and compliance leads at any organisation gain a single, always-current register. New processing activities enter the record as features are configured, removing the gap between what the business actually does and what the paperwork claims.
Breach Response Teams#
When a personal data breach must be notified under GDPR (EU 2016/679) Article 33, responders need to know precisely what data was being processed, on what basis, and with what safeguards. The export delivers that context in seconds rather than days.
Integration#
The register is maintained entirely through the platform GraphQL API. A RopaQuery set of read operations lists activities, retrieves a single record, and renders the full Article 30 CSV export, while a RopaMutation set creates and amends records. Because the same authenticated context drives both register upkeep and feature configuration, recording a new processing activity is part of the normal flow of using the platform rather than a separate compliance chore.
Operations authenticate with OAuth2 bearer tokens carrying signed JWT claims, and every call is automatically scoped to the caller's organisation. Customers plug the read endpoints into their own compliance dashboards or governance tooling to pull a live view of the register, and route the CSV export straight into their evidence repository. The benefit is a register that updates itself from the system of record, so the documentation a regulator sees always reflects reality.
The CSV export is produced through a hardened writer that neutralises spreadsheet formula injection, so the evidence pack opens safely in any office suite the supervisory authority uses.
Open Standards#
- GDPR (EU 2016/679) Article 30, the controller register of processing activities; the module captures every mandatory field this article requires and exports it in register form
- GDPR (EU 2016/679) Article 35, Data Protection Impact Assessment criteria for high-risk processing; the service applies these criteria automatically to flag records that require an assessment
- GDPR (EU 2016/679) Article 46, appropriate safeguards for third-country transfers; records capture Standard Contractual Clauses and adequacy decision references against each transfer
- GDPR (EU 2016/679) Article 6, lawful bases for processing; every activity is validated against the recognised set of lawful bases
- GDPR (EU 2016/679) Article 33, personal data breach notification; the register supplies the processing context a notification must describe
- ISO/IEC 27001 Annex A, information security controls referenced in the security measures recorded for each activity
- OAuth 2.0, the authorisation framework securing every register operation
- JSON Web Token (JWT), the signed token format carrying the authenticated, tenant-scoped identity behind each call
- RFC 4180 (CSV), the comma-separated values format used for the Article 30 register export, ensuring it opens cleanly in any compliant tool
Security & Compliance#
The register enforces strict multi-tenant isolation: every operation is scoped to the authenticated user's organisation, and no record is reachable across tenant boundaries. Authentication is required for all read and write paths, and unauthenticated calls are refused. The Article 30 export sanitises every field against spreadsheet formula injection before writing, protecting the supervisory authority that opens the file. Because high-risk processing is flagged automatically rather than relying on a person to remember, the system reduces the chance that special category data slips into production without an assessment, supporting accountability obligations under GDPR (EU 2016/679) Article 5(2).
Last Reviewed: 2026-05-26 Last Updated: 2026-05-26