Help Center
News
Help Center
News
Getting Started
Compliance Settings
IT Settings
Risk Settings
Modules
Document
Documents & PoliciesAssessmentsControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterInternational StandardsRecord of Processing Activities (ROPA)Exporting your ROPAVendorsData Protection Impact Assessments (DPIA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
Manage
React & Resolve
Sharing & Group functions
Assessments
Features
How-To Guides & Tips
Get Help
Release Notes

Record of Processing Activities (ROPA)

Overview

The Record of Processing Activities (ROPA) forms the core of any data protection management system. It is required by both the Swiss Data Protection Act (FADP) and the European General Data Protection Regulation (GDPR).

It enables the traceable and complete documentation of all processing activities involving personal data within an organization.

According to the FADP, the following elements must be included:

  • the identity of the data controllers
  • the purpose of the processing
  • a description of the categories of data subjects and categories of personal data being processed
  • the categories of recipients
  • if possible, the retention period of personal data or the criteria for determining this duration
  • if possible, a general description of the measures to ensure data security
  • If data is transferred abroad, what is the transfer country, and what are the guarantees for equivalent data protection levels?

For the data processor, the following information must also be ensured:

  • information on the identity of both the processor and the controller
  • information on the categories of processing carried out on behalf of the controller.

The ROPA supports companies by enabling them to quickly and efficiently provide information during audits, in response to data protection inquiries (for example, from data subjects or financial supervisory authorities), or in cases of incidents such as data breaches. Thus, it is an essential instrument to ensure transparency and compliance with data protection regulations.

The overview page lists all your processing activities, divided by their status into All, Active, Draft, Inactive, and Review.

Creating a new ROPA (without AI)

As with every element, you can create the ROPA manually or download a shared one from the organization. This guide focuses on manual creation. To learn more about downloading elements, read the corresponding guide.

Click on Create and select Create ROPA. Provide the following information:

  • Select the responsible person and set the status.
  • Name the processing activity and briefly describe how the processing will occur.
  • Select the relevant organizational unit.
  • The type defines your role regarding the processing activity:
    • Processor: If you process personal data on behalf of another party, act in their name, and the processing serves them.
    • Controller: If the processing serves you, you determine how and why the data is processed.
    • Joint Controller: If you and another party jointly determine the purposes and means of the processing.
    • Note: If you categorize yourself as a Processor, specify the Controller in the following field. If you are unsure, consult your Data Protection Officer.
  • Classify the processing activity with an attribute. Attributes are an organizational aid. You can select one from the drop-down list or create a new attribute by typing it into the field and selecting it.
  • Select the applicable regulations relevant to this processing activity.
  • Set the target risk, ranging from very low to very high.
  • Need To Process: Briefly describe why this processing is vital to your organization.
  • Save your inputs.

Managing your ROPA

General

When you click on a particular processing activity, you will be provided with general information about that activity. To edit the general information, click the Edit button. 
As with most elements, you may write notes by clicking the Notes button on the right or manage its Access and Sharing by clicking the three horizontal dots in the top right corner. 
At the bottom of the screen, you can upload documents to your ROPA.

Click on the blue menu icon at the top left to expand or minimize the menu.

Purpose of Processing

On the Purpose of Processing tab, you will find all the linked purposes of the processing activity. A detailed description of the purposes is essential for data protection compliance. 

  • To link a purpose, click on the Add button.
  • On this page, you will find the library for all purposes. You can choose one or more purposes from the list or create a new one by clicking the Create button and then typing a description into the corresponding input box.
  • For each purpose, you can select the applicable regulations.

Need to Process

The Need to Process tab describes why the processing is necessary. If you do not have a description yet or want to edit it, click the Edit button, enter the information, and save it.

This information is essential for appropriate data protection compliance. To be allowed to perform a processing activity, you must have reasonable needs.

Affected People

The Affected People tab lists the categories of people affected by the processing activity, such as customers or employees. Knowing whose data is being processed is essential under applicable data protection law.

You can Add categories of affected people by choosing from the existing library or creating a new one.

Data Collection Points

Documenting where the data has been collected is crucial to ensure transparency and information-sharing duties. These so-called Data Collection Points, or short DCPs, can be linked and managed under this tab.

When clicking the Add button, you may link existing DCPs with the specific processing activity or create a new one. To manage it, click on an existing DCP. To learn more about Data Collection Points, check out the guide.

Personal Data

On the Personal Data tab, you will find the list of all the personal data categories linked to the processing activity.

It's essential to keep this list complete. Be sure not to leave out any personal data categories subject to the specific processing activity. Adding new elements works the same way described in the other tabs before.

Special Categories

Some processing activities may use Special Categories of personal data. Depending on what data protection law is applicable, Special Categories of personal data may have different definitions. In general, they are very sensitive data categories. Typical examples are genetic or biometric data.

This tab provides the Special Categories of data linked to the processing activity. Click the Add button to add or create new categories.

Note: When creating a new Special Category, you need to choose the applicable data protection regulation that stipulates the category as such. As mentioned above, not all data protection laws define Special Categories similarly. Consult your Data Protection Officer if you need clarification.

Assets

In addition to data protection as a legal aspect, information security constitutes technical data protection. Assets are part of the latter technical handling of the data. Assets are, therefore, everything that serves the processing of the data. This may be software or databanks, physical assets such as server centers, or safety measures like firewalls.

This tab lets you link all assets used for the specific processing activity. You may choose from existing assets by clicking the Add button or create a new one.

When clicking on an existing asset, you are directed to its managing page, where your assets are being complemented and managed. Manage a newly created Asset to fill in all necessary information.

Follow the Guide on the Asset Register to learn more about it.

Evaluate ROPA Risk

Risk Scenarios

You can link all risk scenarios used for this processing activity on the Risk Scenarios tab

  • You can select from existing scenarios by clicking the Add button or creating a new scenario. 
  • Then, click on each linked risk scenario to assess the current risk. 
  • Enter the Reasons for Risk classification / Justification for risk assessment below.

TOMs

Processing personal data requires the controller to protect this data accordingly. This is done by using appropriate technical and organizational measures, so-called TOMs.

The TOMs tab shows you all the TOMs linked to the processing activity. TOMs are implemented to prevent specific risks.  All TOMs that you add there will then be listed in this tab.

Add TOMs:

  • Click on the risk scenario
  • Select the corresponding TOMs from the library. 
  • Assess the risk after mitigation.
  • Enter the Reasons for Risk classification / Justification for risk assessment below.

Creating a TOM may be more elaborate than creating other elements of a processing activity. Be sure to study the guide on Controls & TOMs to include the necessary level of detail before creating a new one.

DPIA

The DPIA tab provides the Data Protection Impact Assessments (DPIA) conducted for your processing activity. Usually, you won't need to add existing DPIAs to your processing activity, as DIPAs are explicitly conducted for processing activities.

If you want to create a DPIA or learn more about it, follow the corresponding guide.

Internal Access

To ensure integrity and confidentiality, limiting access to personal data and tracking who has access are essential. Linking the internal Organizational units partially fulfills this requirement.

The tab provides the list of units already linked and lets you add additional units by clicking the Add button. You may create new organizational units by clicking the Create button.

Legal Basis

Many data protection laws require you to base your processing activity on a legal basis when processing personal data. This is true for several laws, but not all. Generally, these legal bases are predefined in the according law. Therefore, specifying a legal basis and the applicable regulation for each processing activity is essential.

The tab shows the list of Legal Bases linked to the processing activity. You may click on the Add button if you wish to link new Legal Bases. When choosing the new elements, it's essential to note two things:

  • First, you must select a legal basis that the applicable data protection law provides. For example, if you need to comply with the GDPR, you will need a Legal Basis recognized by the GDPR. The second column of the list will indicate which law the respective basis stems from. 
  • Secondly, you will need a Legal Basis for each regulation that applies to your processing. For example, if you need to comply with the Korean PIPA and the GDPR, you must choose a legal basis for the PIPA and the GDPR. This is necessary as different regulations acknowledge different legal bases. Even though some legal bases sound the same, they might mean something different under the respective laws. That is, consent might be defined differently among various regulations. Of course, you must also fulfill all the requirements for each legal basis. If you need guidance on how to rely on a specific legal basis, consult your Data Protection Officer.

Creating a new legal basis is also possible. However, be sure to get the necessary legal advice, as legal bases are generally enumerated and cannot be created freely.

External Recipients

It is essential to follow the "Data Flow" for several purposes. One ought to keep a record of where personal data comes from, what is being done to and with the data, and where it flows. Under the External Recipients tab, you will comply with the latter. The tab shows all the third-party recipients and lets you choose new ones with the Add button.

You must create a new one if an external recipient is missing in your library. The Vendors guide will help you with that.

Retention & Deletion

In general, there is a limit to how long personal data may be stored or processed. Of course, the retention and deletion periods depend on the nature of the personal data and the processing activity. The Retention & Deletion tab shows all the necessary periods linked to the processing activity. If you wish to add new ones, click the Add button. If the period you are looking for is already in your library, you may choose it there. Otherwise, you may need to create a new period. If you possess the Retention & Deletion periods databank, you may search for a specific period there. Otherwise, you need to create a period manually.

The Retention and Deletion Periods guide will provide more information about creating new periods.

Tasks

The Tasks tab contains the tasks linked to your current processing activity. To link a task to the processing activity, click the Add button to select one from the library or create a new one. To learn more, follow the steps in the Tasks guide.

Assessments

Using the assessments, you can have people responsible for the processing activity answer questionnaires to collect and document relevant information on the processing activity and how it is handled. Hence, the assessments are an important tool for reviewing your status and developments in the processing activity.

If you have already created an assessment, click the Add button and choose the ones you want to link. Otherwise, you may create new ones by clicking the Create button. Follow the Assessments guide to learn more.


​

Was this article helpful?

English
Powered by Product Fruits