Last updated: 2026-04-06
Guide
GDPR Article 30 Compliance¶
GDPR Article 30 requires organizations processing personal data to maintain records of processing activities (ROPA).
Article 30 Requirement
Organizations must maintain written records of processing activities, available to supervisory authorities on request. Applies to controllers with 250+ employees or those processing special categories of data.
Required Record Elements¶
Each processing activity record must include:
- Controller/Processor identity -- Name and contact details
- Processing purposes -- Why data is processed
- Data subject categories -- Types of individuals affected
- Personal data categories -- Types of data processed
- Data recipients -- Who receives the data
- International transfers -- Third country transfers and safeguards
- Retention periods -- How long data is kept
- Security measures -- Technical and organizational safeguards
How Dxtra Supports Article 30¶
Processing Purposes¶
Configure processing purposes in the dashboard under Purposes. Each purpose documents:
| Element | Article 30 Requirement |
|---|---|
| Legal basis | Processing purposes and legal justification |
| Retention period | How long data is retained |
| Usage period | Active processing duration |
| Essential flag | Whether processing is necessary for service |
| Data categories | Types of personal data processed |
Processing Activity Log¶
The Activity Log in the dashboard records:
| Element | Article 30 Requirement |
|---|---|
| Data subject link | Links to data subject category |
| Data source | Data source/processor |
| Activity type | Processing activity type |
| Data fields | Personal data categories processed |
| Timestamp | When processing occurred |
Data Controller Information¶
Configure your controller details in the dashboard:
- Organization name and title
- DID (deterministic identifier)
- Contact information
- DPO details
Data Processor Tracking¶
Manage processors in the dashboard under Processors:
- Processor name and service category
- Retention and usage periods
- Processing purpose configuration
- Integration status
Article 30 Checklist¶
Processing Activity Documentation¶
- Each processing purpose has a clear name and description
- Legal basis documented for each purpose (Article 6 justification)
- Data categories specified via field mappings
- Data subject categories identified
Recipients and Transfers¶
- Internal recipients documented (user roles with access)
- External processors configured with retention details
- Third country transfers identified
- Transfer safeguards documented (SCCs, adequacy decisions)
Retention and Security¶
- Retention periods configured for each purpose
- Usage periods set for active processing
- Security measures documented at organizational level
- DPIA completed for high-risk processing
Legal Basis by Region¶
Dxtra maintains legal basis citation references for 40+ jurisdictions:
EU/EEA Jurisdictions¶
| Regulation | Regions |
|---|---|
| GDPR | European Union (27 member states) |
| UK GDPR | United Kingdom |
| GDPR | Norway, Iceland, Liechtenstein (EEA) |
Other Jurisdictions¶
| Regulation | Region |
|---|---|
| Swiss FADP | Switzerland |
| LGPD | Brazil |
| PIPL | China |
| POPIA | South Africa |
| CCPA/CPRA | California |
| APPI | Japan |
| PIPA | South Korea |
| PDPA | Singapore, Thailand |
| Privacy Act | Australia, New Zealand |
| PIPEDA | Canada |
Retention Period Configuration¶
Configure retention periods in the dashboard. Common retention periods:
| Duration | Use Case |
|---|---|
| 30 days | Temporary processing |
| 90 days | Short-term retention |
| 1 year | Standard retention |
| 5 years | Financial/tax records |
| 7 years | Legal compliance |
| While active | While service relationship is active |
Pre-configured Processor Retention¶
Dxtra includes retention defaults for common processors:
| Processor | Retention | Usage | Notes |
|---|---|---|---|
| Stripe | 5 years | 13 months | AML/KYC requirements |
| Shopify | While active | While active | While merchant active |
| WooCommerce | 30 days | 30 days | Server logs |
| Mailchimp | While active | While active | While account active |
| Klaviyo | 90 days | 90 days | Post-deletion |
| Google Ads | 11 years | 180 days | Advertising data |
| Google Analytics | 50 months | 180 days | Configurable |
Generating Article 30 Documentation¶
Document Structure¶
Organize Article 30 documentation:
- Controller information -- Name, contact, DPO
- Processing purposes -- Each purpose with legal basis
- Data categories -- Fields processed per purpose
- Recipients -- Processors and sub-processors
- Retention schedule -- Periods per purpose/processor
- Security measures -- Organizational controls
Export from Dxtra¶
Use the Purposes and Processors sections in the dashboard to review and export your processing records. The Activity Log provides the processing history for audit purposes.
Implementation Steps¶
- Configure Data Controller -- Set up organization profile with contact details
- Define processing purposes -- Create purposes with legal basis and retention
- Map data categories -- Assign data field types to each purpose
- Configure processors -- Add data processors with retention details
- Document security -- Record organizational security measures
- Review and update -- Maintain records as processing changes
For Auditors and Regulators¶
Records Available for Audit¶
| Record Type | Description |
|---|---|
| Processing purposes | Purposes with legal basis documentation |
| Data categories | Field mappings in processing purposes |
| Retention periods | Configured retention documentation |
| Data processors | Processor relationships and retention policies |
| Controller details | Controller identity and contact information |
| Processing activity logs | Historical processing records |
Related Documentation¶
- GDPR Implementation -- Full GDPR compliance guide
- Data Retention -- Retention policy management
- Compliance Overview -- All compliance features
- Data Controller Setup -- Initial configuration