Free GDPR ROPA template
A record of processing activities (ROPA) is required under GDPR Article 30 and is the foundation of GDPR compliance — it maps what personal data you hold, why, and where it goes. Download the template below, or copy the fields into your own tool.
What a controller ROPA should include
For controllers, Article 30(1) expects records covering the following. (Processors keep a slightly different record under Art. 30(2).)
| Field | Example |
|---|---|
| Processing activity | Customer relationship management |
| Controller name & contact | Acme Ltd, privacy@acme.example |
| DPO / representative contact | — |
| Purpose of processing | Managing customer accounts and support |
| Lawful basis (Art. 6) | Contract (Art. 6(1)(b)) |
| Categories of data subjects | Customers |
| Categories of personal data | Name, email, billing details |
| Special category data (Y/N) | N |
| Categories of recipients | Payment processor, support tooling |
| Third-country transfers & safeguards | None / N/A |
| Retention / erasure period | 6 years after contract ends |
| Security measures (general description) | Access control, encryption in transit, backups |
This template is a general starting point, not legal advice, and does not guarantee compliance. Your ROPA must reflect your actual processing; adapt the fields to your circumstances and consult a qualified professional or your DPO where needed.