LET'S TALK
← All work
GDPR Art 30GDPR Art 6GDPR Art 9GDPR Art 32RoPADeep Prototype

DataMapInventory — Records of Processing Activities (GDPR Art 30)

32 processing activities as a real RoPA. Per activity: purpose, Art 6 lawful basis, categories of data subjects, categories of personal data (Art 9 sensitive flagged), recipients, international transfers, retention period, Art 32 security measures. The canonical artifact every supervisory authority asks for first.

DataMapInventory — Records of Processing Activities (GDPR Art 30) preview
Open live →

What it is

The shape behind every Records of Processing Activities register — OneTrust DataMap, Vanta, internal Notion templates. Art 30(1) demands this artifact in writing for every controller. DataMapInventory is the working version.

What’s in it

  • 32 processing activities covering the realistic SaaS surface:
    • Contract (Art 6(1)(b)) — account creation, payments, support, transactional emails, KYC webhook receipt
    • Consent (Art 6(1)(a)) — marketing, analytics, personalization, AI-generated marketing, biometric login, healthcare allergy notes
    • Legitimate interest (Art 6(1)(f)) — fraud-scoring, AI recruitment ranking, server access logs, employee productivity monitor, support transcript analysis
    • Legal obligation (Art 6(1)(c)) — KYC, audit logs, DSAR processing, consent audit-trail, whistleblower intake, vendor sanctions screening
  • Per-activity 7-field shape:
    1. Purpose
    2. Categories of data subjects (customers / prospects / employees / contractors / minors / DSAR-subjects)
    3. Categories of personal data (Art 9 sensitive flagged separately)
    4. Recipients (sub-processors, internal teams)
    5. International transfers (EU→US-DPF, EU→BR via SCC + TIA, none)
    6. Retention period (with the rationale: financial 7y, security 90d, consent 3y)
    7. Art 32 security measures (TLS, KMS, BAA, tokenization, MFA)
  • 4 sensitive (Art 9) activities flagged — KYC, biometric login, healthcare allergy notes, webcam liveness check
  • Cross-tool callbacks — every activity references the related DPIA, PIIScout column, ConsentLedger entry, RtbfFlow path, or IncidentLog timeline.

Why this shape

GDPR Art 30 makes the RoPA mandatory for any controller (>250 employees, or any processing of special categories). Every supervisory-authority site visit starts with this register. ICO RoPA guidance + CNIL registre des traitements both demand the same 7-field shape. DataMapInventory ships that shape, populated with the realistic SaaS catalog.

How it ships

Single HTML file, ~24KB. Zero dependencies. 32 activities × 7 fields + Art 6 lawful-basis chips + filter chips in 280 lines of vanilla JavaScript.

Open the tool →