gdpr-ropa-audit
Installation
SKILL.md
Conducting GDPR Article 30 Records Audit
Overview
Article 30 of the GDPR mandates that every controller and processor maintain written records of processing activities under their responsibility. This skill provides a structured methodology for auditing RoPA entries against the exhaustive field requirements specified in Art. 30(1) for controllers and Art. 30(2) for processors, ensuring completeness, accuracy, and readiness for supervisory authority review.
Controller Record Requirements — Art. 30(1)
Each processing activity record maintained by the controller must contain:
| Field | GDPR Reference | Description |
|---|---|---|
| Controller identity and contact details | Art. 30(1)(a) | Name, address, and contact details of the controller, joint controller, and DPO |
| Purposes of processing | Art. 30(1)(b) | Specific, explicit, and legitimate purposes for each processing activity |
| Categories of data subjects | Art. 30(1)(c) | Identification of all data subject groups (employees, customers, patients, minors) |
| Categories of personal data | Art. 30(1)(c) | Types of personal data processed per activity (identifiers, financial, health, biometric) |
| Categories of recipients | Art. 30(1)(d) | All recipients including processors, joint controllers, and third-country recipients |
| International transfers | Art. 30(1)(e) | Transfers to third countries or international organisations with safeguard documentation |
| Retention periods | Art. 30(1)(f) | Envisaged time limits for erasure of different categories of data |
Related skills