Skip to main content

Records of Processing Activities (RoPA)

GDPR Article 30 requires both data controllers and data processors to maintain written records of their processing activities. For pension scheme trustees, the RoPA is not merely an administrative requirement — it is the foundational compliance document that evidences every processing decision, maps legal bases, documents data flows, and supports the trustee’s ability to demonstrate accountability under Article 5(2). A well-maintained RoPA is also the starting point for a DPIA, the basis for a privacy notice, and the document a DPC inspector will ask to see first in any investigation.
Who is exempt? Article 30(5) exempts organisations with fewer than 250 employees from the RoPA obligation — unless processing is not occasional, or carries risk to the rights and freedoms of data subjects, or involves special categories of data. Pension scheme trustees almost invariably fall outside this exemption: pension data processing is systematic and ongoing, and affects members’ financial rights. Trustees should maintain a RoPA regardless of their headcount.

What a Controller’s RoPA Must Contain — Article 30(1)

For each processing activity, the controller’s RoPA must record:
Required ElementArticle 30(1) Reference
Name and contact details of the controller (and DPO, if appointed)Article 30(1)(a)
Purposes of the processingArticle 30(1)(b)
Categories of data subjectsArticle 30(1)(c)
Categories of personal dataArticle 30(1)(c)
Categories of recipients (including third countries)Article 30(1)(d)
Details of international transfers and transfer safeguardsArticle 30(1)(e)
Envisaged retention periods (or criteria to determine them)Article 30(1)(f)
General description of technical and organisational security measuresArticle 30(1)(g)
The RoPA must be maintained in writing (including electronic form) and must be made available to the supervisory authority — the DPC — on request.

What a Processor’s RoPA Must Contain — Article 30(2)

PensionPortal.ai, as a data processor, maintains its own processor RoPA covering:
Required ElementArticle 30(2) Reference
Name and contact details of the processor and each controller on whose behalf it actsArticle 30(2)(a)
Categories of processing carried out for each controllerArticle 30(2)(b)
Details of international transfers and transfer safeguardsArticle 30(2)(c)
General description of security measuresArticle 30(2)(d)
PensionPortal.ai’s processor RoPA is available to trustee clients on request and forms part of the due diligence documentation provided at onboarding.

Why Pension Trustees Need a Comprehensive RoPA

Beyond the legal obligation, a robust RoPA delivers practical compliance value:

DPIA Starting Point

The RoPA identifies which processing activities require a DPIA. The processing descriptions in the RoPA feed directly into the DPIA’s “describe the processing” step. Without a current RoPA, DPIA completion is guesswork.

Privacy Notice Foundation

The purposes, legal bases, and recipient categories in the RoPA are the source material for member-facing privacy notices. A RoPA that is inconsistent with the privacy notice indicates a compliance gap — both documents must tell the same story.

Breach Response Readiness

In the event of a data breach, the RoPA tells the trustee exactly what data was affected, where it was held, and who it was shared with — critical information for the Article 33/34 notification assessment under time pressure.

DPC Inspection Readiness

The DPC will ask to see the RoPA in any formal investigation or audit. An up-to-date, detailed RoPA is evidence of accountability. A missing or superficial RoPA is evidence of non-compliance — independent of any other infringement.

How PensionPortal.ai Supports RoPA Maintenance

PensionPortal.ai provides trustees with an integrated RoPA management tool:
1
Pre-Populated Template
2
At onboarding, trustees receive a pre-populated RoPA covering all standard processing activities performed through PensionPortal.ai — member data management, benefit administration, Pensions Authority reporting, ORA documentation, and governance workflows. Standard legal bases, data categories, and retention periods are pre-filled based on the Irish regulatory framework.
3
Customisation for Scheme-Specific Activities
4
Trustees add scheme-specific processing activities — payroll integration details, actuary arrangements, investment manager data flows, employer data-sharing arrangements. The platform provides a guided entry form ensuring all Article 30(1) elements are captured for each activity.
5
Living Document Maintenance
6
The RoPA is not a one-time exercise. PensionPortal.ai prompts trustees to review the RoPA:
7
  • When a new processing activity is introduced (e.g. a new integration or workflow)
  • When a new processor or sub-processor is engaged
  • When a data subject rights request reveals a gap in the RoPA
  • Annually as part of the ORA cycle
  • When significant regulatory changes occur
    • 8
    All edits are versioned with the date of change, the editor, and a description of what changed.
    9
    Export and Sharing
    10
    The RoPA can be exported as a structured PDF or CSV at any time. This supports:
    11
  • Inclusion in annual trustee board reporting
  • Provision to the DPC on request
  • Sharing with the scheme’s DPO for review
  • Incorporation into the scheme’s governance filing system

    • DPC Expectations for Irish Organisations

    The Data Protection Commission expects Irish organisations to maintain a RoPA that is:
    • Current: Reflecting actual processing at the time of inspection, not a historical snapshot
    • Specific: Named processors, documented legal bases per activity, actual retention periods — not generic descriptions
    • Accessible: Retrievable on request without delay. The DPC should not need to prompt a second time
    • Consistent: Aligned with the organisation’s privacy notice, DPA documentation, and DPIA
    The DPC’s guidance on the RoPA is available at dataprotection.ie. Common failures identified in DPC enforcement include: absent legal basis for processing activities, undocumented international transfers, and retention periods listed as “as required by law” without specific citation.

    Sample RoPA Entry: Pension Scheme Data Controller

    The following illustrates a well-formed RoPA entry for a pension scheme trustee using PensionPortal.ai. This is a template — trustees must complete all fields with their scheme-specific details.
    FieldContent
    Activity ReferencePA-001
    Processing Activity NameMember benefit administration and record-keeping
    Controller Name[Scheme Name] — Pension Trustees
    Controller Contact[Trustee Chairperson or designated trustee contact, address]
    DPO Contact (if appointed)[DPO name, email, phone]
    Purpose(s) of ProcessingAdministration of occupational pension scheme member benefits; generation of annual benefit statements; calculation of transfer values and retirement benefits; processing of death benefit claims
    Legal BasisArticle 6(1)(c) — Legal obligation (Pensions Act 1990 as amended; S.I. 128/2021)
    Special Category Data?Yes — health data in context of ill-health retirement (Article 9(2)(b), supported by Data Protection Act 2018, s.36)
    Data SubjectsActive members, deferred members, pensioner members, spouses/dependants
    Data CategoriesName, address, PPS number, date of birth; employment history and pensionable service; salary history; contribution records (employee and employer); benefit entitlements; transfer value calculations; beneficiary details
    RecipientsScheme administrator (processor); actuary (processor); Pensions Authority (controller — regulatory reporting); Revenue Commissioners (controller — statutory returns); PensionPortal.ai (processor)
    International TransfersNone (all processing within EEA). PensionPortal.ai sub-processors: SCCs in place where applicable — see sub-processor register
    Retention Period6 years after member benefit fully discharged; scheme rules and trust deed: permanent
    Security MeasuresEncryption in transit (TLS 1.2+) and at rest (AES-256); role-based access control; immutable audit logging; ISO 27001-certified infrastructure; annual penetration testing; staff data protection training
    Processor DPA ReferenceDPA with PensionPortal.ai — [Reference number, date executed]
    FieldContent
    Activity ReferencePA-002
    Processing Activity NameOwn Risk Assessment documentation and governance
    Purpose(s) of ProcessingPreparation, documentation, and annual review of the scheme’s ORA as required by S.I. 128/2021, Regulation 44; evidencing compliance with IORP II system of governance requirements
    Legal BasisArticle 6(1)(c) — Legal obligation (S.I. 128/2021, Regulation 44)
    Data SubjectsTrustees, Key Function Holders, scheme administrator representatives
    Data CategoriesNames and contact details of trustees and KFHs; fitness and probity declarations; board meeting minutes and resolutions; governance documentation
    RecipientsPensions Authority (on request — supervisory review); external auditor (processor)
    Retention Period6 years from date of ORA (or until 6 years after scheme wind-up, whichever is later)
    Security MeasuresAs PA-001; document vault with version control and access logging
    FieldContent
    Activity ReferencePA-003
    Processing Activity NameAnnual report and regulatory returns to Pensions Authority
    Purpose(s) of ProcessingCompliance with annual reporting obligations under the Pensions Act 1990 (as amended) and S.I. 128/2021; response to supervisory enquiries
    Legal BasisArticle 6(1)(c) — Legal obligation
    Data SubjectsAll scheme members (aggregated/statistical); trustees and KFHs (named)
    Data CategoriesAggregate scheme membership statistics; trustee details; financial and actuarial data; governance declarations
    RecipientsPensions Authority (regulatory authority)
    Retention Period6 years from filing date

    PensionPortal.ai’s Own Processor RoPA

    As a data processor, PensionPortal.ai maintains a RoPA covering all processing activities performed on behalf of trustee clients. A summary is available on request and includes:
    • Categories of processing: member data management, benefit administration support, ORA workflow, document management, audit logging, rights request handling
    • Processing locations: EU/EEA primary; sub-processor locations and transfer mechanisms documented
    • Security measures: encryption, access controls, audit logging, penetration testing, ISO 27001 programme
    • Controller relationships: each trustee client listed as a separate controller with their DPA reference
    Trustee clients may request a copy of PensionPortal.ai’s processor RoPA summary at any time via the compliance portal or their account manager.

    Keeping the RoPA Current

    A RoPA that does not reflect current reality is worse than no RoPA in some respects — it creates a false picture of compliance. Trustees should formally review the RoPA at least annually, and designate a responsible person (typically the DPO or scheme administrator) to flag changes that require an update. PensionPortal.ai’s change notification triggers help with this — but the trustee retains accountability.
    The RoPA is a controller accountability document under Article 5(2). It does not need to be published (unlike, for example, a privacy notice), but it must be maintained and available. For Irish pension schemes under Pensions Authority supervision, a well-maintained RoPA is also evidence of a functioning system of governance — supporting the trustee’s IORP II compliance posture alongside its GDPR obligations.