Who must keep a Record of Processing Activities?

GDPR Article 30(1) requires it for controllers, with an exemption for organisations under 250 employees that do not process special category data and where processing is occasional. Whistleblower processing is not occasional and frequently involves special category data, so the exemption rarely applies. Article 30(2) imposes the equivalent obligation on processors.

Does the RoPA need to be public?

No. RoPA is internal documentation. It must be made available to the supervisory authority on request (Art. 30(4)) but is not published. Some organisations publish a redacted summary as part of their transparency programme; this is optional.

What level of detail is required?

Article 30(1) lists six elements: controller details, purposes, categories of data subjects and data, recipients (including third-country recipients), retention, and a description of technical-and-organisational measures. The template below covers all six.

Free template · Updated May 2026

Record of Processing Activities (RoPA): Whistleblower Channel

A GDPR Article 30(1) record covering all six required elements, ready to paste into your master RoPA document. Pre-filled for the Confidly deployment defaults; edit the highlighted placeholders for your environment.

Identifier

Processing reference	WB-CHANNEL-01
Owner (business)	Head of Compliance, [Organisation]
Owner (data protection)	[DPO name]
Last reviewed	[yyyy-mm-dd]
Next review	[yyyy-mm-dd]

1. Controller (Art. 30(1)(a))

Controller	[Organisation legal name]
Registered office	[address]
Representative in the EU (if controller is non-EU)	[name, address]
DPO	[name, contact]

2. Purposes of processing (Art. 30(1)(b))

Operate an internal whistleblowing channel under [national transposition of Directive (EU) 2019/1937].
Receive, triage, and investigate reports of breaches and concerns.
Maintain records demonstrating compliance with Article 18 of the Directive and the national equivalent.
Communicate with reporters during and after the investigation.

3. Categories of data subjects (Art. 30(1)(c))

Reporters (employees, contractors, suppliers, board members, shareholders, volunteers, applicants, former employees up to 6-24 months).
Subjects of reports (named within report content).
Third parties mentioned within report content.
Case handlers and other authorised staff users.

4. Categories of personal data (Art. 30(1)(c))

Free-text report content (may include identifiers, allegations).
Attachments uploaded with reports.
Pseudonyms voluntarily provided by reporters.
Case codes (server-generated).
Case metadata: status, category, severity, assigned investigator, timestamps.
Staff identity: email, name, role, organisation membership.
Audit log entries: staff identity, action, IP address, user-agent, timestamp.

Special categories (Article 9): only to the extent voluntarily included by reporters in report content or attachments. Not solicited; treated with additional safeguards.

5. Recipients (Art. 30(1)(d))

Internal recipients: case handlers, alternate handlers, closure-panel members, escalation contacts (audit committee, board), DPO.
External processors:
- Confidly OÜ (EU): channel operator, processor.
- Hetzner Online GmbH (DE): hosting sub-processor.
- Cloudflare Ireland Ltd (IE): edge network sub-processor.
- Clerk, Inc. (US): staff identity provider sub-processor; SCCs + DPF.
- Anthropic, PBC (US): AI inference sub-processor (where AI features enabled); SCCs + Zero Data Retention.
- Stripe Payments Europe Ltd (IE): billing.
- Amazon Web Services EMEA SARL (DE, eu-central-1): transactional email.
- Sentry GmbH (DE): error monitoring; report content scrubbed.
Other recipients (case-specific): external counsel where engaged; competent authorities where reporting required by law; courts on valid disclosure orders.

6. Third-country transfers (Art. 30(1)(e))

Recipient	Country	Transfer mechanism
Clerk	USA	SCCs (Module Two) + EU-US Data Privacy Framework
Anthropic	USA	SCCs (Module Three) + Zero Data Retention contractual term

Documentation of the suitability of these transfers is held in the Transfer Impact Assessment file, dated [yyyy-mm-dd].

7. Retention periods (Art. 30(1)(f))

Data	Retention	Reason
Case content and attachments	Per case type per jurisdiction; default 3 years from closure (DE), case duration + 3 years (FR), 5 years (IT, ANAC interpretation), 10 years where criminal proceedings (ES, IE recommended), per organisational retention schedule otherwise	Art. 18 Directive 2019/1937 + national transposition
Audit log entries	7 years	Art. 18 demonstrability
Authentication logs	12 months	Legitimate interest (security)
Backup copies	30 days rolling	Disaster recovery

8. Technical and organisational measures (Art. 30(1)(g))

TLS 1.3 in transit; AES-256 at rest; per-object encryption for attachments.
Bcrypt cost 12 for reporter secrets; Argon2id for staff where identity provider supports it.
SSO with mandatory MFA option for staff users.
Role-based access enforcing least privilege.
Append-only audit log; daily WORM export.
Daily encrypted backups; restore tested monthly.
Annual third-party penetration test.
24-hour breach notification from processor to controller.
Sub-processor list maintained at /trust; 30 days' notice on additions.

9. Legal basis

Art. 6(1)(c) GDPR: compliance with the legal obligation imposed by [national transposition of Directive 2019/1937]. For special category data voluntarily disclosed, Art. 9(2)(b) GDPR (employment and social-protection law) combined with the national whistleblower act.

Maintained by [DPO name]. Reviewed annually. Made available to the supervisory authority on request per Art. 30(4) GDPR.