Records of processing activities (ROPA)
Records of processing activities (ROPA) is the documented inventory GDPR Article 30 requires controllers and processors to keep: what personal data you process, why, who receives it, where it goes, and how long you keep it. There is a partial exemption for some smaller organisations, but analytics is exactly the kind of processing a ROPA should capture. Maintaining one is also a practical map of your data. This is educational, not legal advice.
What this means
Article 30 of the GDPR requires most controllers and processors to maintain a written record of their processing activities. For a controller, that record covers the purposes, the categories of data subjects and personal data, the categories of recipients, any transfers to third countries, retention periods where possible, and a general description of security measures. It is an internal accountability document that supervisory authorities can ask to see.
How analytics fits the record
Web analytics is a processing activity, so it belongs in the ROPA: note the purpose (measuring site usage), the data categories (for example identifiers, IP-derived signals, event data), the recipients (any processors or platforms), transfers (where the data is hosted), and retention. Article 30 includes a partial exemption for organisations under 250 employees unless the processing is not occasional, is likely to risk rights, or involves special-category data — so many sites still need a record. A good ROPA also doubles as a data map for DSARs and DPIAs.
- Purposes, data and subject categories, recipients
- Transfers, retention, and security overview
- Partial small-organisation exemption with conditions
How it appears in analytics and logs
If analytics processing is missing from your ROPA, your Article 30 inventory is incomplete; the ROPA should reflect every processing activity, analytics included.
Diagnostic use case
Record your analytics processing in a ROPA — purposes, data categories, recipients, transfers, and retention — so you can demonstrate accountability on request.
What WebmasterID can help detect
WebmasterID's minimised, first-party model yields a compact ROPA entry: few data categories, no ad-platform recipients, anonymised IPs, and short retention.
Common mistakes
- Leaving analytics out of the processing record.
- Assuming the under-250 exemption always applies.
- Letting the ROPA go stale after vendor or data changes.
Privacy and accuracy notes
This page is educational, not legal advice. Minimised analytics produces a shorter, simpler ROPA entry because there is less data and fewer recipients to record.
Related pages
- Data protection impact assessment (DPIA)
A Data Protection Impact Assessment (DPIA) is a structured analysis the GDPR requires before processing that is likely to result in a high risk to people's rights — for example large-scale profiling or systematic monitoring. Some analytics and tracking setups meet that bar. This page explains when a DPIA is required and what it documents.
- Controller vs processor
The GDPR assigns different duties to a controller — who determines the purposes and means of processing — and a processor, who processes personal data on the controller's behalf. Whether your analytics vendor is a processor or a joint controller changes the contracts and liabilities involved. This page explains the distinction and how it applies to analytics.
- Data subject access requests (DSAR)
Under the GDPR's right of access (Article 15), a person can ask a controller to confirm whether it processes their personal data and to receive a copy. Analytics datasets can fall in scope when they contain identifiers tied to an individual. This page explains the right and why data minimisation shrinks what a DSAR can reach.
- Privacy-first analytics
Minimised data makes for a compact ROPA entry.
Sources and verification notes
- EUR-Lex — GDPR Article 30 (records of processing activities)Primary text on ROPA. Educational, not legal advice.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.