Records of processing (ROPA) in depth
A record of processing activities (ROPA) under GDPR Article 30 is a structured inventory of each processing activity, capturing the purposes, categories of data subjects and personal data, recipients, transfers, retention periods, and security measures. This page goes deeper than the overview by walking through what a ROPA entry for a web-analytics activity actually contains, and how controller and processor records differ. This page is educational, not legal advice.
What an analytics ROPA entry contains
Article 30(1) lists what a controller's record must include for each activity: the controller's identity and contact, the purposes of processing, categories of data subjects and of personal data, categories of recipients, any third-country transfers and their safeguards, envisaged retention periods, and a general description of security measures. For a web-analytics activity that means naming the measurement purpose, the data (e.g. truncated IP, page views, device category), any analytics vendor as recipient, any transfer route, the retention schedule, and the controls applied.
Controller vs processor records, and keeping it live
Article 30(2) sets a slimmer record for processors, focused on the categories of processing carried out for each controller, transfers, and security measures. So your analytics vendor keeps its own processor ROPA while you keep the controller record. The hard part is accuracy: a ROPA drifts the moment a tag manager adds a recipient or a retention period changes. Tie ROPA updates to your data-mapping process so the record reflects reality. The small-organisation exemption in Article 30(5) is narrow and rarely covers ongoing tracking.
A minimised activity is far easier to document truthfully.
- Article 30(1): controller record fields per activity
- Article 30(2): slimmer processor record
- Update alongside data mapping to stay accurate
How it appears in analytics and logs
If you cannot describe your analytics activity's purpose, data, recipients, transfers and retention in one record, your ROPA entry is incomplete.
Diagnostic use case
Build a complete Article 30 record for a web-analytics activity so you can demonstrate accountability and answer regulator or data-subject queries.
What WebmasterID can help detect
WebmasterID's minimised, first-party model makes an analytics ROPA entry short — few data categories, few recipients, and clear retention.
Common mistakes
- Relying on the Article 30(5) exemption for ongoing tracking.
- Letting the ROPA drift when recipients or retention change.
- Confusing the controller record with the processor record.
Privacy and accuracy notes
This page is educational, not legal advice. A ROPA documents processing; keep it accurate without turning it into a store of unnecessary personal data.
Related pages
- Records of processing activities (ROPA)
Records of processing activities (ROPA) is the documented inventory GDPR Article 30 requires controllers and processors to keep: what personal data you process, why, who receives it, where it goes, and how long you keep it. There is a partial exemption for some smaller organisations, but analytics is exactly the kind of processing a ROPA should capture. Maintaining one is also a practical map of your data. This is educational, not legal advice.
- Data mapping for analytics
Data mapping (data-flow mapping) documents the journey of personal data through an analytics stack: what is collected, by which tags, where it is sent, which vendors process it, and how long each store retains it. It underpins records of processing, DPIAs, breach response, and data-subject requests, because you cannot honour a deletion request or assess a transfer you have not mapped. This page is educational, not legal advice.
- Controller vs processor
The GDPR assigns different duties to a controller — who determines the purposes and means of processing — and a processor, who processes personal data on the controller's behalf. Whether your analytics vendor is a processor or a joint controller changes the contracts and liabilities involved. This page explains the distinction and how it applies to analytics.
- Privacy-first analytics
A minimised activity makes the ROPA entry short and truthful.
Sources and verification notes
- EUR-Lex — GDPR Article 30 (records of processing activities)Primary text on controller and processor records. Educational, not legal advice.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.