ROPA Template | The DPO Diary

1

Controller Details

Organisation Name

Company / Registration Number

Registered Address

Controller Contact Name

Email

Phone

Joint Controllers

If you are a joint controller with another organisation, record their details below.

Joint Controller Details (if applicable)

2

Data Protection Officer

DPO Name

DPO Email

DPO Phone

When is a DPO Required?

A DPO must be appointed if you are a public authority, your core activities involve large-scale systematic monitoring, or your core activities involve large-scale processing of special category data.

3

Processing Activities Register

Document each processing activity separately. Copy this section for additional activities.

Processing Activity

Entry 1

Activity Name / Reference

Department / Business Area

Purpose(s) of Processing

Article 30(1)(b) — List all purposes for this processing activity

Lawful Basis

Consent Contract Legal Obligation Vital Interests Public Task Legitimate Interests

Categories of Data Subjects

Article 30(1)(c) — Describe the categories of individuals

Categories of Personal Data

Article 30(1)(c) — Mark special category data with ⚠️

Categories of Recipients

Article 30(1)(d) — Include internal and external recipients

International Transfers

Article 30(1)(e) — Document third country transfers

Retention Period

Article 30(1)(f)

Retention Justification

Security Measures

Article 30(1)(g) — General description of security measures

System(s) Used

Last Updated

Processing Activity

Entry 2

Activity Name / Reference

Department / Business Area

Purpose(s) of Processing

Lawful Basis

Consent Contract Legal Obligation Vital Interests Public Task Legitimate Interests

Categories of Data Subjects

Categories of Personal Data

Categories of Recipients

International Transfers

Retention Period

Retention Justification

Security Measures

System(s) Used

Last Updated

Print additional copies of this page to document more processing activities

4

Review and Maintenance

ROPA Created Date

Last Updated

Next Review Date

Review Owner

Keeping Your ROPA Up to Date

Review at least annually or when significant changes occur
Update when new processing activities are introduced
Update when processors or recipients change
Update retention periods and security measures as needed

5

Approval and Sign-off

Prepared By (Name)

Role / Title

Signature

Date

Approved By (Name)

Role / Title

Signature

Date

ICO Inspection

You must make this ROPA available to the ICO on request. Failure to maintain adequate records is a breach of Article 30 and may result in enforcement action.

Records of Processing Activities (ROPA)

Article 30 Requirements

Controller Details

Joint Controllers

Data Protection Officer

When is a DPO Required?

Processing Activities Register

Processing Activity

Processing Activity

Review and Maintenance

Keeping Your ROPA Up to Date

Approval and Sign-off

ICO Inspection

Useful Links