URL: /partner/ropa/
The Record of Processing Activities (ROPA) is a UK GDPR requirement (Article 30) that documents all processing of personal data carried out by the practice.
Each processing activity entry captures:
| Field | Description |
|---|---|
| Name | Clear identifier for the processing activity |
| Purpose | Why the data is processed |
| Lawful Basis | The legal basis for processing (see below) |
| Data Categories | What types of personal data are involved |
| Data Subjects | Whose data is being processed |
| Recipients | Who the data is shared with |
| Third-Country Transfers | Any transfers outside the UK |
| Retention Period | How long the data is kept |
| Security Measures | Technical and organisational controls |
| DPIA Status | Whether a Data Protection Impact Assessment has been done |
| Basis | When to Use |
|---|---|
| Consent | Individual has given clear consent |
| Contract | Processing is necessary for a contract |
| Legal Obligation | Processing is required by law |
| Vital Interests | Processing is necessary to protect someone's life |
| Public Task | Processing is necessary for official functions |
| Legitimate Interests | Processing is necessary for legitimate interests (with balancing test) |
Entries should be reviewed annually and updated whenever processing activities change.