Free GDPR ROPA template

A record of processing activities (ROPA) is required under GDPR Article 30 and is the foundation of GDPR compliance — it maps what personal data you hold, why, and where it goes. Download the template below, or copy the fields into your own tool.

What a controller ROPA should include

For controllers, Article 30(1) expects records covering the following. (Processors keep a slightly different record under Art. 30(2).)

FieldExample
Processing activityCustomer relationship management
Controller name & contactAcme Ltd, privacy@acme.example
DPO / representative contact
Purpose of processingManaging customer accounts and support
Lawful basis (Art. 6)Contract (Art. 6(1)(b))
Categories of data subjectsCustomers
Categories of personal dataName, email, billing details
Special category data (Y/N)N
Categories of recipientsPayment processor, support tooling
Third-country transfers & safeguardsNone / N/A
Retention / erasure period6 years after contract ends
Security measures (general description)Access control, encryption in transit, backups

This template is a general starting point, not legal advice, and does not guarantee compliance. Your ROPA must reflect your actual processing; adapt the fields to your circumstances and consult a qualified professional or your DPO where needed.