Guides

RoPA for SaaS teams: practical template and examples

A RoPA is a record of processing activities. Article 30 says controllers and processors should document who is involved, what data is processed, why it is processed, who receives it, what transfers occur, how long data is kept, and what security measures are in place.

Best fit

Operators and privacy owners building internal records for GDPR accountability

Last updated: 2026-03-14

When SaaS teams usually need a RoPA

Article 30 includes an exemption for organisations with fewer than 250 people, but that exemption disappears when processing is not occasional, is likely to create risk, or includes special-category or criminal-offence data.

Many SaaS businesses process customer and user data as part of normal product operations, so the 'not occasional' point often matters more than team size alone.

What to record as a controller and as a processor

Article 30(1) lists the controller-side fields, including contact details, purposes, categories of data subjects and personal data, recipients, transfers, retention periods, and security measures.

Article 30(2) separately requires processors to keep a record of the categories of processing they carry out on behalf of each controller, plus transfer and security information where applicable.

A practical template for a small SaaS team

Keep the template simple enough to update. One row per activity or system is usually better than a long narrative document.

  • Activity or workflow name
  • Controller or processor role
  • Purpose of processing
  • Data subjects and data categories
  • Recipients and subprocessors
  • International transfers
  • Retention period
  • Key security controls or TOM reference

Product context

Review how internal governance documents fit alongside public and customer-facing outputs. See the sample pack structure.

Related guide

Continue with GDPR for Indian SaaS: what EU customers actually ask for.

Sources

Official GDPR text on EUR-Lex

Official GDPR text, especially Article 30 and its small-team carve-out.

Open source

Next step

Use the guide as the baseline, then generate your own pack when you are ready to replace examples with your actual company, product, and vendor details.

Start Free