Can the DPO Act as the Controller's Representative and Be Assigned Responsibility for Maintaining the Record of Processing Activities (RoPA)? When We Say the Controller Maintains the Record, Who Does That Refer To?

ANSWER

Maintaining the Record of Processing Activities (RoPA) is the responsibility of the data controller.

According to guidance from the Polish Data Protection Authority (UODO), this task should not be assigned to the Data Protection Officer (DPO). The DPO's role is to monitor and assess compliance, including verifying whether the RoPA is accurate and compliant with legal requirements. If the DPO were responsible for maintaining the register, they would effectively be required to audit their own work, which could create a conflict of interest.

Although the controller bears ultimate responsibility for the content, accuracy, and maintenance of the RoPA, the controller may rely on support from other individuals within the organization to keep the register current and reliable.

In practice, it is advisable to involve the owners of individual business processes because they:

• have the most complete understanding of personal data flows within their respective areas;
• work directly with the personnel carrying out those processes, making it easier to identify and document changes; and
• can provide timely updates regarding new or modified processing activities.

Designating responsible process owners for specific processing operations not only facilitates the maintenance of the RoPA but also improves its accuracy and alignment with the organization's actual processing activities.

In this context, when it is said that "the controller maintains the register," it does not mean that the DPO must personally maintain it. Rather, it means that the controller remains legally accountable for ensuring that the RoPA exists, is kept up to date, and accurately reflects the organization's processing activities, even if operational tasks are delegated to process owners or other staff members.