The records of pro­ces­sing ac­ti­vi­ties (RoPA) are an es­sen­ti­al com­po­nent of the General Data Pro­tec­tion Re­gu­la­ti­on (GDPR). It is the cen­tre­pie­ce of the data pro­tec­tion ma­nage­ment system (DSMS).

It serves as proof of the legally com­pli­ant im­ple­men­ta­ti­on of the data pro­tec­tion prin­ci­ples of the GDPR and as proof of the me­a­su­res taken to ensure the se­cu­ri­ty and con­fi­den­tia­li­ty of per­so­nal data.

Why is a records of pro­ces­sing ac­ti­vi­ties required?

The RoPA is im­portant for several reasons and is the­r­e­fo­re re­qui­red by law:

  • Trans­pa­ren­cy: The RoPA serves to create trans­pa­ren­cy about the pro­ces­sing of per­so­nal data within an or­ga­ni­sa­ti­on. This makes it pos­si­ble to un­der­stand how and for what purpose data is pro­ces­sed and who re­cei­ves it.
  • Ac­coun­ta­bi­li­ty: The GDPR places great im­portance on ac­coun­ta­bi­li­ty. The RoPA shows that the company takes its data pro­tec­tion ob­li­ga­ti­ons se­rious­ly and do­cu­ments and proves them accordingly.
  • Risk ma­nage­ment: An up-to-date RoPA helps to iden­ti­fy, assess and prio­ri­ti­se data pro­tec­tion risks. This in turn fa­ci­li­ta­tes the plan­ning of risk mi­ni­mi­sa­ti­on measures.
  • Ful­film­ent of legal re­qui­re­ments: Main­tai­ning a RoPA is an ex­pli­cit re­qui­re­ment of the GDPR for com­pa­nies and is the­r­e­fo­re es­sen­ti­al to avoid legal sanctions.
  • Ful­film­ent of data subject rights: Every natural person (cus­to­mer, em­ployee, etc.) has a right to access, erasure, rec­ti­fi­ca­ti­on, etc. The RoPA pro­vi­des answers to ques­ti­ons about the pro­ces­sed data.
  • Data pro­tec­tion in­ci­dents: In the event of (su­spec­ted) data brea­ches, there is an ob­li­ga­ti­on to inform the data sub­jects and to notify the data pro­tec­tion su­per­vi­so­ry aut­ho­ri­ty. In order to be able to assess which data is af­fec­ted in which systems and at which pro­ces­sing step the data pro­tec­tion in­ci­dent oc­cur­red, a well-managed RoPA is essential.
Steps for crea­ting and main­tai­ning a RoPA

The crea­ti­on and main­ten­an­ce of the RoPA is an ongoing process that should be careful­ly planned and implemented.

The basic steps for crea­ting a RoPA are

  • De­fi­ni­ti­on of re­spon­si­bi­li­ty: It must be de­ter­mi­ned who within the or­ga­ni­sa­ti­on is re­spon­si­ble for crea­ting and up­dating the di­rec­to­ry. These are usually so-called process owners of the de­part­ments and di­vi­si­ons or for systems, etc.
  • Re­cor­ding of pro­ces­sing ac­ti­vi­ties:
    • Purpose of data processing
    • Ca­te­go­ries of data subjects
    • Types of data
    • Re­ci­pi­ent of the data
    • data trans­fers to third count­ries, if ap­pli­ca­ble, and the
    • Storage and de­le­ti­on periods pro­vi­ded for
  • As­sess­ment of the legal basis: A legal basis must be de­ter­mi­ned and do­cu­men­ted for each pro­ces­sing ac­ti­vi­ty in ac­cordance with the GDPR.
The legal bases are:
  • consent of the data subject
  • ful­film­ent of a con­tract and pre-con­­trac­­tu­al measures
  • legal ob­li­ga­ti­ons or
  • le­gi­ti­ma­te interest

In the case of the legal basis „le­gi­ti­ma­te in­te­rest“, the in­te­rest must be de­scri­bed from the company’s point of view and it must be de­mons­tra­ted that the in­te­rest of the data subject does not out­weigh this.

  • Risk as­sess­ment and data pro­tec­tion impact as­sess­ment: A th­res­hold ana­ly­sis must be used to iden­ti­fy pro­ces­sing ac­ti­vi­ties that may pose a high risk to the rights and free­doms of natural persons and, if ne­ces­sa­ry, a Data pro­tec­tion impact as­sess­ment must be carried out.
  • Do­cu­men­ta­ti­on and up­dating: The RoPA must be re­gu­lar­ly re­view­ed and updated to reflect changes in pro­ces­sing ac­ti­vi­ties or legal requirements.
  • Pro­vi­si­on: It must be ensured that the RoPA can be pre­sen­ted in a struc­tu­red form on request, e.g. to an aut­ho­ri­ty, a customer.

A RoPA not only offers legal pro­tec­tion, but above all and si­gni­fi­cant­ly con­tri­bu­tes to trans­pa­ren­cy and process op­ti­mi­sa­ti­on within the company. It also streng­thens the trust of cus­to­mers, busi­ness part­ners and em­ployees in data pro­tec­tion prac­ti­ces. Ir­re­spec­ti­ve of this, the RoPA is an in­dis­pensable basis for the ful­film­ent of data sub­jects‘ rights and for the pro­ces­sing and no­ti­fi­ca­ti­on of data pro­tec­tion incidents.

Author: Regina Mühlich – I am at your dis­po­sal for any ques­ti­ons and information.
Do you have any ques­ti­ons on this and other topics? E-mail consulting@adorgasolutions.de.

Wie können wir Ihnen weiterhelfen?

Kontaktieren Sie uns: Wir sind gerne für Sie da!