Article 30(1) and 30(2) set clear triggers for when a ROPA is needed. You must maintain a ROPA if you are a controller or processor, and any of the following apply:
- Your organization has 250 or more employees,
- The processing you carry out is likely to result in a risk to people's rights and freedoms,
- The processing is not occasional, or
- You handle special-category orsensitive data(health, religion, ethnicity, political opinions, etc.)
For personal data, examples include:
- Contact details (like email and phone numbers)
- Login credentials (usernames and passwords)
- IP addresses and device identifiers
For data subjects, categories might be:
- Customers
- Employees
- Contractors
- Website visitors