This analysis reviews RoPA requirements in the European Economic Area (EEA) under GDPR,(1) another six jurisdictions which roughly follow the GDPR(2) (i.e. “EEA and Others”), and 20 other European countries and regions outside the EEA that have data protection laws (i.e. “Non-EEA Europe”).(3)

Historically, data controllers across Europe have been required to register their processing activities; often with Supervisory Authorities. This is the Father of RoPA. Many countries still require registration: of the 20 Non- EEA Europe countries noted, 18 continue to require some form of registration for controllers,(4) whilst five of EEA and others do as well.(5)