Glossary
RoPA
A Record of Processing Activities is the GDPR-mandated inventory of every personal-data processing activity in an organisation. Article 30 requires every organisation (with limited small-org exemptions) to maintain a written RoPA. For a whistleblowing channel, the entry must include purpose, data categories, recipients, retention, security measures, and any third-country transfers.
Full definition
GDPR Article 30 requires every organization (with limited small-org exemptions) to maintain a written Record of Processing Activities (RoPA). For a whistleblowing channel, the RoPA entry must include: the purpose (compliance with EU Directive 2019/1937), categories of data subjects and personal data, recipients (case handlers, external counsel, competent authorities), retention period, technical and organizational security measures, and any third-country transfers. Confidly provides a pre-filled RoPA entry to every customer at activation.
Related terms
- GDPR Regulation (EU) 2016/679, the General Data Protection Regulation, governs processing of personal data of EU residents. Whistleblowing channels process personal data of the reporter, the person reported on, and third parties named in the report. Key articles: Art. 6 (legal basis), Art. 5 (minimisation), Art. 9 (special categories), Art. 17 (erasure), and Art. 30 (records).
- DPIA A Data Protection Impact Assessment is a GDPR-mandated risk analysis for high-risk data processing, required by Article 35. Whistleblowing typically triggers a DPIA because it involves systematic employee monitoring and special-category data such as allegations of criminal conduct. The DPIA documents purposes, data categories, risks, mitigation measures, and the DPO's opinion.