What is a Register of Processing Activities (RoPA)? (GDPR Art. 30)

A Record of Processing Activities (RoPA) (Dutch: verwerkingsregister) is a mandatory internal list of all processing activities your organisation performs (GDPR Art. 30). The Dutch DPA can request it at any time — this is the test for accountability (Art. 5(2)). Mandatory content for controllers (Art. 30(1)): name + contact of controller + DPO, purposes, categories of subjects + personal data, recipients (incl. third countries), retention periods, security measures, international transfers with safeguards. For processors (Art. 30(2)): name + contact of controller + processor + DPO, categories of processing for each controller, transfers, security measures. Small business exception? Art. 30(5) seems to suggest <250 employees are exempt — but the exemption falls away as soon as you process: (a) non-incidentally, (b) special category or criminal data, (c) risk-presenting data. In practice = every Dutch SMB bakery, webshop, or HR consultancy needs one. Format: Excel suffices. The AP provides a free template. External SaaS tools (OneTrust, Privacy Tools) for large organisations. What is NOT in the register: actual personal data — that's the processing itself. The register is meta-data about processing. Fine: no register = Art. 83(4), up to €10m / 2%. Recent AP fines 2023-2025 for missing RoPA at healthcare providers + educational institutions.