Record of processing activities under GDPR

A data controller (or processor) under the EU’s General Data Protection Regulation (“GDPR”) has many obligations it must adhere to in order to best protect the personal data being processed. One such obligation is creating and maintaining a Record of Processing Activities (“RoPA”). This is a basic yet effective tool for exerting control over the processing of personal data that not only allows for easier audit and governance from the data protection authorities but also allows the business to more effectively manage its data processing activities. The RoPA is in essence similar to a system log for data processing which data controllers are obligated to maintain under Vietnam’s Personal Data Protection Decree – Decree 13/2023/ND-CP. This article aims to provide a quick overview of the RoPA under GDPR.

What Is a RoPA?

As the name implies, a RoPA is a record of personal data processing activities that an entity under GDPR must maintain for all processing activities under its responsibility. The RoPa must be made in writing, including electronic form.[1]

 Who Has the Responsibility to Maintain a RoPA?

Each controller (or processor) and, where applicable, the controller’s representative (or the processor’s representative) shall maintain a record of processing activities under its responsibility.

What is Required to be Included in the RoPA?

For data controllers, GDPR requires the following information to be included in the RoPA[2]:

• the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer (“DPO”);
• the purposes of the processing (what the data is being used for, e.g. for HR management);
• a description of the categories of data subjects and of the categories of personal data (examples of categories of data subjects include: clients, employees, vendors, etc. Examples of categories of personal data include: contact details, health records, etc.);
• the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations (g. payroll administration service providers, HR consulting firms, etc.);
• where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards (g. transfers of personal data to the parent company located outside of the European Economic Area (“EEA”));
• where possible, the envisaged time limits for erasure of the different categories of data (this will most likely depend on the actual circumstances and policies of the data controller and the laws);
• where possible, a general description of the technical and organizational security measures referred to in Article 32(1) (g. data encryption, multifactor verification, password protection, access controls, physical and environmental controls, etc.).

For data processors, GDPR requires the following information to be included in the RoPA[3]:

• the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
• the categories of processing carried out on behalf of each controller;
• where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
• where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

Are There Any Exceptions to Maintaining a RoPA?

Yes, Article 30(5) provides certain circumstances where the obligations regarding RoPA as set out in Article 30 are not compulsory. Enterprises or organizations employing less than 250 persons shall be exempt from adhering to RoPA obligations, however, this exemption will not apply to the following processing activities:

• the processing being carried out is likely to result in a risk to the rights and freedoms of data subjects (g. tracking, and monitoring data subjects);
• the processing is not occasional (g. processing personal data for frequent purposes, such as for payroll administration);
• the processing includes special categories of data as referred to in Article 9(1) (g. processing political opinions, religious beliefs, health, genetic, biometric data, etc.);
• personal data relating to criminal convictions and offenses referred to in Article 10.

As such, if any of the above-mentioned processing activities take place, the obligation to maintain a RoPA would be applicable. However, the RoPA would only be compulsory in respect of processing activities that are not exempted.

 Why Should You Maintain a RoPA?

First and foremost, a RoPA is a tool for compliance with GDPR. Article 30(4) states that the controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request. Failure to comply with the request from the supervisory authority could result in a violation of GDPR and a hefty fine.

Beyond compliance with GDPR, maintaining a RoPA could help your organization manage personal data more easily and optimize its operations in relation to personal data. With a properly maintained RoPA, your organization could conduct self-audits to ensure the organization is complying with data regulations and is operating smoothly.

There are also many other benefits to maintaining a RoPA. Your organization will be able to detect and delete unnecessary data to avoid legal risks by regularly reviewing the RoPA and identifying redundant data. The organization would also be able to fulfill data subjects’ requests much easier since the RoPA allows for better visualization and the classification of the data within the system. A RoPA would also allow bodies and individuals within the organization to more effectively cooperate and share data with each other in an orderly fashion.

In all, RoPA is much more than a simple compliance requirement. It is also a tool that all organizations processing personal data should employ in order to effectively manage personal data. A well-maintained, updated RoPA would be a great asset to the organization and a much-needed tool to optimize data management, especially in this day and age where data is becoming more and more valuable.

RoPA and Data Mapping

Data Mapping is a method of tracking data within an organization by keeping records of what data is being processed, where the data is being processed, and for what purpose. Data Mapping involves tracking, recording, and integrating various elements such as data migration, data warehousing, data transformation, etc. In essence, it is a centralized record that provides an overview of the flow and life cycle of the data. Even though data mapping is not mandatory under GDPR, it is a very good method for conducting data management and audit since it gives a clear and concise look at the processing of the data from beginning to end. This will help with both legal compliance and internal operations such as handling data subjects’ requests, identifying security risks, tracking data location, etc.

Putting Data Mapping and Ropa side-by-side, we can observe that RoPA is a rudimentary form and a sub-set of Data Mapping. While RoPa provides the essential information regarding data processing, Data Mapping links such information together to create a map of data flows and data lifecycle. In other words, RoPA is a part of Data Mapping. Data Mapping is not required under GDPR, however, maintaining a data map would be greatly beneficial to the organization and a well-maintained data map could help organizations to create a RoPA must faster with better efficiency and accuracy. Considering that a RoPA is already an obligation under GDPR, organizations should consider mapping their data as well for a comprehensive and efficient privacy program.

PrivacyCompliance provides solutions related to ensuring compliance with personal data regulations, assessing the impacts of personal data processing, drafting impact assessment dossiers, and cross-border data transfer dossiers.

PrivacyCompliance

#RoPA #DataMapping #GDPR #Obligations #Article30

[1]             GDPR, Art 30.

[2]             GDPR, Art 30(1).

[3]             GDPR, Art 30(2).