Record of Processing Activities (RoPA)

Modified on Fri, 16 Aug at 2:33 PM

Background

Article 30 of the EU General Data Protection Regulation (GDPR) mandates that organisations keep internal records detailing all personal data processing activities they conduct. These records are crucial for organisations to track the personal data they collect, its sources, and the methods of processing.

Should it be required, these records can be reviewed by the supervisory authority to assess the organisation's compliance with accountability obligations. Consequently, organisations must present these records to the supervisory authority when requested.


Who needs to document the records of processing activities?

Article 30 of the GDPR requires organisations with more than 250 employees to maintain records of processing activities. Smaller organisations need only document processing activities that are not occasional, such as those beyond a one-time event or rare occurrences; those likely to pose a risk to individuals' rights and freedoms, such as potentially intrusive actions; or those involving special category data or data concerning criminal convictions and offenses, as outlined in Articles 9 and 10 of the GDPR. The actual guidance says that the UK GDPR provides a limited exemption for small and medium-sized organisations if they employ fewer than 250 people, they need only document processing activities that:                               

  • are not occasional (e.g., are more than just a one-off occurrence or something you do rarely); or
  • are likely to result in a risk to the rights and freedoms of individuals (e.g., something that might be intrusive or adversely affect individuals); or
  • involve special category data or criminal conviction and offence data (as defined by Articles 9 and 10 of the UK GDPR).


Do Personal Audit Systems keep these records?

Personal Audit Systems Ltd's (PAS Ltd) customers are the data controllers when using the P11D Organiser, it is therefore they that need to ensure that they are correctly keeping records of any processing activities that may be carried out on their employee's data in line with the GDRP regulations.

PAS Ltd have no access to customer data and no visibility of any data processing activities that may, or may not, be undertaken by our customers.


Subject Access Requests (SAR)

Based on the above, it is our customers that need to deal with any Subject Access Requests that may be generated by employees - the relationship is between the employer and the employee. The data is controlled by our customers, and any requests therefore need to be fulfilled in line with GDPR by them.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article