ISMS Copilot

Free tool

GDPR ROPA completeness checker (Article 30)

Self-score how complete your record of processing activities is against the elements GDPR Article 30 expects: who is accountable, the purpose of each activity, the categories of people and data, recipients, transfers outside the EU/EEA, retention limits, a description of your security measures, and the discipline that keeps the register current and available to your supervisory authority, plus recommended additions such as the lawful basis. You get a completeness heatmap and a prioritised focus list. A starting point for building or auditing your ROPA, not legal advice.

Structured around GDPR Article 30 (records of processing activities), with the security-measures element drawing on Article 32(1) and the small-organisation question on Article 30(5). Element descriptions are original editorial content; refer to the regulation and your supervisory authority for the binding wording.

This is a self-assessment aid for an Article 30 register, not legal advice, an audit, or a statement that your processing complies with the GDPR. A complete record is necessary but not sufficient for compliance. Confirm your obligations with your DPO or counsel and your competent supervisory authority.

Overall completeness: Not answered

0 of 16 elements rated

Accountability & contacts
Not answered
Purpose & basis
Not answered
Data & people
Not answered
Recipients
Not answered
International transfers
Not answered
Retention
Not answered
Security measures
Not answered
Record-keeping discipline
Not answered

Where to focus first

No weak elements flagged from what you answered. Keep the register current and exportable for your supervisory authority. This is still not a statement of compliance.

Rate each element honestly on how completely it is captured in your register today, across all your processing activities.

Accountability & contacts

Who is accountable: controller and contacts

Your organisation's identity and contact details as controller are recorded, along with any joint controllers and, where you are established outside the EU/EEA but caught by the GDPR, your appointed representative.

Data protection officer contact

Where you have appointed a DPO, their contact details are captured in the register so a supervisory authority or data subject can reach them.

Controllers you act for (processor records)

If you process personal data on someone else's behalf, your processor record lists your own name and contact details as processor, each controller you act for, and where applicable the processor's and each controller's representative and DPO. Skip if you only ever act as a controller.

Purpose & basis

Why each activity processes data

Each processing activity states the purpose it serves. As a processor, you instead record the categories of processing you carry out for each controller.

Lawful basis per activityRecommended

The Article 6 lawful basis for each activity (and the Article 9 condition where you handle special-category data) is noted. Article 30 does not strictly require this, but recording it makes the register far more useful and audit-ready.

Data & people

Categories of people whose data you process

Each activity names the categories of data subjects involved, such as customers, employees, prospects, patients, or website visitors.

Categories of personal data

The categories of personal data processed in each activity are listed, such as contact details, identifiers, financial data, or location data.

Special-category and criminal-offence data flaggedRecommended

Activities involving health, biometric, racial or ethnic, political, religious, trade-union, sex-life or sexual-orientation data, or criminal-offence data, are clearly flagged, since these carry extra conditions and risk.

Recipients

Categories of recipients

Each activity records the categories of recipients the data is disclosed to, including other processors, group companies, and recipients located in third countries or international organisations.

International transfers

Transfers outside the EU/EEA identified

Where personal data leaves the EU/EEA, the record identifies the third country or international organisation receiving it. Includes remote access and sub-processor hosting outside the EU/EEA, not just deliberate exports.

Transfer safeguards documentedRecommended

For each transfer outside the EU/EEA, the Chapter V mechanism relied on (adequacy decision, standard contractual clauses, the EU-US Data Privacy Framework, or another safeguard) is recorded. Article 30 strictly requires documenting the suitable safeguards only for the narrow Article 49(1) second-subparagraph derogation transfers; recording the mechanism for every transfer is good practice and pairs with a transfer impact assessment for higher-risk routes.

Retention

Retention and erasure time limits

Each category of data has an envisaged time limit for erasure or review, rather than being kept indefinitely. Where an exact period is impossible, the criteria used to set it are recorded.

Security measures

General description of security measures

The register carries a general description of the technical and organisational measures protecting the data (Article 32(1)), such as access control, encryption, and backups, kept at a level that is meaningful but does not have to be exhaustive.

Record-keeping discipline

Kept in writing and available to the regulator

The record is held in writing, including electronic form, and can be produced for your supervisory authority on request. A register that cannot be exported on demand does not meet this duty.

Kept current as processing changesRecommended

A defined owner and cadence keep the register current, so new systems, vendors, and processing activities are added rather than the document going stale after its first version.

Article 30(5) scope decision recorded

If you employ fewer than 250 people you have considered whether the limited Article 30(5) exemption applies, and recorded why it does not where your processing is not occasional, is likely to result in a risk to individuals, or includes special-category or criminal-offence data. Most organisations still need a record.

Related GDPR tools

Important

This tool gives a structured self-assessment of how complete your Article 30 record of processing activities is. It is not legal advice, not an audit, and not a statement of GDPR compliance. Whether you must keep a record, and whether yours is adequate, depends on your specific processing and is ultimately judged by your competent supervisory authority. The Article 30(5) exemption is narrow and most organisations still need a register.

Primary sources

Jurisdiction: EU/EEA. Instrument: Regulation (EU) 2016/679 (GDPR). This tool reflects Article 30 as in force on the dates above.

FAQ

What is a ROPA and who has to keep one?

A record of processing activities (ROPA) is the internal register GDPR Article 30 requires, documenting what personal data you process and how. Controllers and processors both keep one. A limited exemption in Article 30(5) can apply to organisations with fewer than 250 employees, but it falls away when the processing is not occasional, is likely to result in a risk to individuals, or involves special-category or criminal-offence data, so in practice most organisations need a record.

Does a high completeness score here mean we are GDPR compliant?

No. A complete Article 30 record is necessary but not sufficient. Compliance also depends on having a lawful basis, honouring data-subject rights, securing the data, and much more. This tool only assesses whether your register captures the elements Article 30 expects, which is one building block.

What is the difference between a controller record and a processor record?

A controller's record is the fuller one: purposes, categories of data subjects and data, recipients, transfers, retention limits, and a description of security measures. A processor's record is shorter: the processor's own identity and contact details, who it processes on behalf of, any applicable representatives and DPOs, the categories of processing it performs for each controller, transfers, and a description of security measures. This checker covers both, and notes the processor angle on each element where they differ.

Is recording the lawful basis actually required by Article 30?

Not strictly. Article 30 lists the elements above without naming the lawful basis, but several supervisory authorities recommend adding it because it makes the register far more useful and links each activity to its Article 6 (and where relevant Article 9) justification. We flag those recommended additions separately from the strict Article 30 requirements so you can tell them apart.

Do you store my answers?

No. Scoring runs entirely in your browser. There is no form gate; the JSON and CSV exports and the printable report are generated locally on your device.

By ISMS Copilot.

Ready to do compliance work faster?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0