Free GDPR Tool

GDPR Article 30 ROPA Builder

Build your Record of Processing Activities step by step. We guide you through every mandatory Art. 30 field — controller details, data subjects, recipients, international transfers, retention, and security measures. Download the completed ROPA as a markdown file, or create a shareable link.

ROPA completeness0% — High risk

Organisation name (data controller)*Art. 30(1)(a)

The legal name of the organisation that determines the purposes and means of processing.

Registered address*Art. 30(1)(a)

Full registered address of the organisation.

Privacy / DPO contact email*Art. 30(1)(a)

The email address of the DPO or the person responsible for data protection queries.

Are there joint controllers for this activity?*Art. 30(1)(a)

If another organisation co-determines the purposes and means, they are a joint controller. You must document their details too.

Joint controller name and contact (if applicable)Art. 30(1)(a)

Name, address, and contact email of the joint controller.

14 required fields still missing

• Controller Identity: Organisation name (data controller)
• Controller Identity: Registered address
• Controller Identity: Privacy / DPO contact email
• Controller Identity: Are there joint controllers for this activity?
• Processing Activity: Name of processing activity
• Processing Activity: Purposes of the processing
• Data Subjects & Personal Data: Categories of data subjects
• Data Subjects & Personal Data: Categories of personal data processed
• Data Subjects & Personal Data: Does this activity involve special-category data (Art. 9)?
• Recipients & Transfers: Categories of recipients
• Recipients & Transfers: Is personal data transferred outside the EEA or UK?
• Retention & Deletion: Envisaged retention period (time limits for erasure)
• Legal Basis: Lawful basis for processing (Art. 6)
• Security Measures: Technical and organisational security measures

Frequently asked questions

Who is required to maintain a ROPA under GDPR Article 30?

Most organisations that process personal data. Art. 30(5) provides a narrow exemption for organisations with fewer than 250 employees — but only if the processing is occasional, doesn't involve special-category data, and is unlikely to pose a risk. In practice, most SMEs should still maintain a ROPA.

What happens if we don't have a ROPA?

Supervisory authorities (e.g. the ICO in the UK, CNIL in France) can request the ROPA at any time. Failing to produce one can result in fines under Art. 83 and is seen as evidence of poor accountability — one of the GDPR's core principles.

How often should we review our ROPA?

Whenever a processing activity changes materially — for example when you onboard a new processor, start collecting a new category of data, or enter a new market. Best practice is a formal annual review, plus ad-hoc updates as changes happen.

Does this tool constitute legal advice?

No. This tool helps you document your processing activities in a structured way. For legal advice on GDPR compliance, consult a qualified data protection lawyer or a certified DPO.

Is the ROPA the same as a DPIA?

No. A DPIA (Data Protection Impact Assessment) is required for high-risk processing under Art. 35. The ROPA is a broader inventory of all your processing activities. You reference your DPIAs in the ROPA but they are separate documents.

Loading…