What do I need in a RoPA?

To legally comply with Article 30 of the GDPR, you must maintain a Register of Processing Activities (RoPA). This applies separately to controllers and processors. If you're acting as a processor you need to track processing activities carried out on behalf of controllers — as well as maintain awareness of sub-processors you may appoint.

Here's a breakdown of the labels (fields) your Register of Sub-Processors / Processing Activities should include to comply with Article 30(2) (processors):

Processor Name and Contact Details

Include your organisation's legal name, address, and contact details.

Controller(s) Name and Contact Details

For each processing activity, record the identity and contact details of the controller on whose behalf you're acting.

(If applicable) Representative of the Controller or Processor

If either party is not established in the EU but is subject to GDPR, include their EU representative's details.

Data Protection Officer (DPO) Contact Details

If a DPO is appointed, list their name and contact details.

Categories of Processing Activities

Describe the type of processing carried out (e.g. cloud storage, CRM, analytics, payroll support).

Transfers to Third Countries or International Organisations

Document:

• Whether data is transferred outside the EU/EEA,
• The recipient country or organisation,
• The legal basis (e.g., adequacy decision, Standard Contractual Clauses),
• Where applicable, documentation of suitable safeguards (particularly for Art 49(1)(2) derogations).

(Where possible) Description of Technical and Organisational Security Measures

E.g., encryption, access controls, pseudonymisation, regular audits — as per Article 32(1).