
Free GDPR RoPA Template (2026) — Article 30 Register, Excel
Record of Processing Activities template: controller + processor sheets, lawful basis, transfers, retention columns. Free XLSX, PDF and Markdown, no email gate.
Download this template
Version 1.0 · Updated Jul 14, 2026 · Free, no email required
GDPR RoPA Template: Free Article 30 Register
The Record of Processing Activities (RoPA) is the register GDPR Article 30 obliges almost every organisation to keep: controllers document each processing activity's purposes, data categories, recipients, transfers, retention and security measures under Article 30(1), and processors document the categories of processing performed for each controller under Article 30(2). This free template ships both registers in one dropdown-driven Excel file — EU-27/EEA-framed, with lawful-basis and transfer-tool columns and ten pre-loaded example activities — so you complete rows instead of designing spreadsheets.
The RoPA is usually the first document a supervisory authority asks for: the Irish DPC's guidance expects a register that is complete, self-contained and readable by an external reviewer, and expects organisations to produce it on request. Yet most teams still build theirs from a blank sheet the week a regulator or an enterprise customer asks. This template — available as XLSX, PDF field guide, and a machine-readable Markdown file for AI agents — removes that step. It is the operational companion to our GDPR compliance guide, which explains the accountability principle this register serves; this page gives you the artefact that demonstrates it.
Key Takeaways
- Article 30 applies to controllers and processors separately: Article 30(1) governs your own processing; Article 30(2) governs what you process for customers. A B2B SaaS company almost always needs both registers — this template ships both.
- The under-250 exemption is narrower than it looks. Per the WP29 position paper (April 2018), any one of three factors — risk, non-occasional processing, or special-category data — triggers the duty. Routine payroll, CRM and support processing is never "occasional".
- The record must be written, current, and producible on request (Art 30(3)–(4)). The Irish DPC treats a stale or fragmentary register as an accountability failure in itself.
- RoPA failures sit in the lower fine tier — up to €10 million or 2% of worldwide annual turnover under Article 83(4) — and are routinely cited as aggravating factors alongside Article 5(2) accountability findings.
- One register, three regulators: UK GDPR retains Article 30 unchanged (ICO), and Norway's Datatilsynet expects the same protokoll over behandlingsaktiviteter under the Personal Data Act — the template's structure serves all three.
What's Inside the Template
The XLSX contains four sheets: Organisation Details (the Article 30(1)(a)/30(2)(a) identity block — controller, joint controllers, Article 27 representative, DPO), the Controller Register mapped column-by-column to Article 30(1)(b)–(g), the Processor Register mapped to Article 30(2)(b)–(d), and Instructions including an Article 30(5) decision aid. The PDF mirrors the field guide for print and review meetings; the Markdown variant carries full field definitions with enums so an AI agent can draft your register from your systems inventory.
Ten common processing activities come pre-loaded as worked examples — replace them with your own:
| Ref | Activity | Lawful basis | Special category | Transfer outside EEA | Retention |
|---|---|---|---|---|---|
| C-01 | Employee administration & payroll | Contract — Art 6(1)(b) | No | No | Employment + statutory periods |
| C-02 | Absence & health management | Legal obligation — Art 6(1)(c) | Yes — Art 9(2)(b) | No | Employment + statutory periods |
| C-03 | Applicant management | Legitimate interests — Art 6(1)(f) | No | Yes — US (SCCs) | 6 months after process |
| C-04 | CRM & customer management | Legitimate interests — Art 6(1)(f) | No | Yes — US (SCCs) | Relationship + 3 years |
| C-06 | Website analytics | Consent — Art 6(1)(a) | No | No | 14 months |
Each controller row also carries the columns regulators probe: categories of data subjects and personal data (Art 30(1)(c)), categories of recipients including processors (Art 30(1)(d)), the Chapter V transfer tool with an Article 49 safeguards reference (Art 30(1)(e)), retention criteria (Art 30(1)(f)), the Article 32(1) security-measures description (Art 30(1)(g)), plus DPIA status, owner, review date and a row status — with dropdown validations keeping the values consistent.
How to Use It
Step 1 — Complete the identity block. The Organisation Details sheet captures the Article 30(1)(a) and 30(2)(a) names, contacts, representatives and DPO once, so every register row doesn't have to repeat them.
Step 2 — Inventory by purpose, not by tool. CNIL's registre guidance is the cleanest structuring rule: one row per processing activity, identified by purpose. A single system can host several activities, and one activity can span several systems — "employee administration & payroll", not "the HR platform". Group rows by business function, as the Irish DPC recommends.
Step 3 — Fill every controller column, including lawful basis. Lawful basis is not in Article 30's text, but every supervisory-authority template includes it, and an enterprise customer's DPA review will ask for it. Flag Article 9 special-category data and record the Article 9(2) condition relied on — special-category processing is also one of the three factors that removes the Article 30(5) exemption.
Step 4 — Record transfers per row. "Outside the EEA" is the operative test. Name the third country, pick the Chapter V tool — adequacy decision, SCCs, BCRs — and for any Article 49 derogation, link the documented safeguards, which Article 30(1)(e) expressly requires. Keep this consistent with the subprocessor list your customers see; our guide to GDPR subprocessor management covers that adjacent register.
Step 5 — If you process for customers, complete the processor register. One row per controller, with category-level descriptions of the processing performed — hosting, backup, support access — not per-record detail. Reference the Article 28(3) DPA each row operates under.
Step 6 — Keep it alive. Assign a record owner, set review dates, and mark superseded rows "Obsolete — retained" rather than deleting them, so the register shows its own history. A RoPA that was accurate at go-live and never touched again fails the "living document" expectation every regulator now applies.
Legal Basis
The register maps to Regulation (EU) 2016/679, Article 30: the controller record under Article 30(1)(a)–(g), the processor record under Article 30(2)(a)–(d), the written-form requirement in Article 30(3) and supervisory-authority access in Article 30(4). The Article 30(5) derogation is applied as interpreted by the WP29 position paper of April 2018, endorsed by the EDPB: the three disqualifying factors are alternatives, and "occasional" means outside the regular course of business.
One forward-looking note: the Commission's 2025 digital-omnibus package proposes amending Article 30(5) to exempt organisations with fewer than 750 employees except for processing likely to result in a high risk, and the EDPB-EDPS Joint Opinion 01/2025 welcomed the targeted simplification while asking for clarifications on the threshold. As of mid-2026 this remains a proposal in the ordinary legislative procedure — the current Article 30 applies unchanged, and a register remains the practical backbone of accountability either way. Structuring conventions follow the Irish DPC's RoPA guidance (April 2023) — self-contained, granular, by business function, regulator-readable — and CNIL's registre guidance on purpose-based inventorying. The RoPA also feeds your Article 32 security-measures evidence: column (g) is a summary of the TOMs that page shows you how to demonstrate.
Beyond the EU-27: UK and Norway
In the UK, UK GDPR retains Article 30 unchanged, and the ICO's documentation guidance ships free controller and processor templates. The ICO file is UK-framed and controller-first; this template adds the processor register, EEA-transfer tooling and worked examples in one workbook — for a UK deployment, treat "outside the UK" as the transfer test and the ICO as your authority. In Norway, the GDPR applies via the EEA Agreement and the Personal Data Act (personopplysningsloven), and Datatilsynet reviews the protokoll over behandlingsaktiviteter in investigations — its Telenor decision spelled out that organisations above the Article 30(5) thresholds must maintain the full record. For EU controllers, transfers to Norway are intra-EEA, not third-country transfers.
From Register to Living Evidence
A spreadsheet RoPA proves you documented your processing; it cannot keep the documentation true. New vendors arrive, retention settings drift, a subprocessor changes region — and the register quietly stops matching reality, which is exactly the inconsistency a supervisory authority or an enterprise DPA review finds first. Orbiq's Trust Center platform keeps the buyer-facing side of this evidence — DPA, TOMs, subprocessor list, certificates — current and access-controlled in one place, so the work your RoPA documents also answers the next customer security review; Trust Center for legal teams shows how privacy counsel run that workflow. If a customer asks you to send rather than show your evidence, pair the register with our GDPR subprocessor change-notice template.
Sources & References
- Regulation (EU) 2016/679 (GDPR) — full text — Article 30(1)–(5), Article 83(4).
- WP29 — Position paper on Article 30(5) derogations — April 2018, EDPB-endorsed; the "alternative factors" and "occasional" readings.
- Irish DPC — "Records of Processing Activities under Article 30 GDPR" (April 2023) — guidance on completeness and structure, published on the Irish Data Protection Commission's website (which blocks automated link checkers, so it is cited here without a hyperlink).
- CNIL — Record of processing activities (GDPR toolkit) — purpose-based registre structuring.
- ICO — Documentation guidance and templates — UK GDPR Article 30 templates for controllers and processors.
- Datatilsynet — decision on the DPO role in Telenor ASA — Article 30 record-keeping expectations in Norway.
- EDPB-EDPS Joint Opinion 01/2025 — simplification of the record-keeping obligation — July 2025; the pending under-750 proposal.
Related Reading
Download this template
Version 1.0 · Updated Jul 14, 2026 · Free, no email required
Frequently Asked Questions
What is a RoPA under GDPR Article 30?
The Record of Processing Activities (RoPA) is the mandatory GDPR register documenting every processing activity an organisation carries out. Controllers record purposes, data-subject and data categories, recipients, third-country transfers, retention periods and security measures under Article 30(1); processors record the categories of processing performed for each controller under Article 30(2). It must be in writing, including electronic form, and be made available to the supervisory authority on request.
Who is exempt from keeping a RoPA?
Very few organisations in practice. Article 30(5) exempts organisations with fewer than 250 employees only where the processing is unlikely to result in a risk to data subjects, is occasional, and involves no special-category or criminal-offence data. The WP29 position paper of April 2018 reads these conditions as alternatives — any one of them alone triggers the duty — and 'occasional' means outside the regular course of business. Payroll, CRM, support and marketing are the regular course of business, so nearly every operating company must record its routine activities.
What must a controller's RoPA contain?
Article 30(1) requires: the controller's name and contact details (plus joint controllers, representative and DPO where applicable); the purposes of processing; categories of data subjects and personal data; categories of recipients, including in third countries; third-country transfers with the country identified and, for Article 49 derogation transfers, documented safeguards; envisaged erasure time limits where possible; and a general description of the Article 32(1) security measures where possible.
Do processors need their own RoPA?
Yes. Article 30(2) requires every processor to keep a record of all categories of processing carried out on behalf of each controller — the processor's and each controller's identity and contacts, the categories of processing performed, third-country transfers, and a general description of security measures. A B2B SaaS company is typically both: controller for its own HR, sales and marketing data, and processor for the customer data on its platform. This template ships both registers in one file.
Is lawful basis required in the RoPA?
Not by the literal text of Article 30 — but every EU supervisory-authority template includes it, and regulators read a register without lawful bases as incomplete accountability documentation. This template carries a dropdown-driven Article 6(1) lawful-basis column on every controller row, plus Article 9(2) condition fields for special-category data.
Is the RoPA requirement being relaxed for companies under 750 employees?
Not yet. The European Commission's 2025 digital-omnibus simplification proposal would amend Article 30(5) to exempt organisations with fewer than 750 employees unless processing is likely to result in a high risk, and the EDPB-EDPS Joint Opinion 01/2025 broadly welcomed the targeted change. But as of mid-2026 it remains a proposal in the ordinary legislative procedure — Article 30 applies unchanged today, and even under the proposal, high-risk processing would still require records.
How is this template different from the ICO's free RoPA template?
The ICO's Excel template is UK-framed and controller-first. This template is EU-27/EEA-framed with UK and Norway notes, ships controller and processor registers in one workbook, adds EEA-transfer columns with Chapter V transfer-tool dropdowns, pre-loads ten common processing activities as worked examples, and includes a machine-readable Markdown variant so an AI agent can draft your register.