Processor RoPA Creation

Overview

GDPR Article 30(2) imposes an independent obligation on every processor to maintain a record of all categories of processing activities carried out on behalf of each controller. Unlike controller records under Art. 30(1), processor records are scoped to the processing performed under the controller's instructions and contain four mandatory fields. This skill provides the complete methodology for creating and maintaining processor RoPA entries that satisfy Art. 30(2)(a) through (d).

The processor obligation is independently enforced. The Spanish AEPD sanctioned a processor under PS/00547/2021 for failure to maintain Art. 30(2) records, confirming that compliance is not derivative of the controller's own record-keeping.

Mandatory Field Requirements — Art. 30(2)

Field 1: Processor and Controller Identity — Art. 30(2)(a)

This field must identify:

• Processor legal entity name: Registered name as it appears in the national business register.
• Processor contact details: General contact email and telephone for data protection matters.
• Each controller on whose behalf the processor acts: Legal entity name and contact details of every controller whose data the processor processes.
• Controller's representative (if applicable): Where the controller is established outside the EEA and has appointed an Art. 27 representative.
• DPO: Contact details of the DPO of both the processor and each controller (if appointed).