Privacy Notices & RoPA
Qarion provides built-in privacy notice management and Record of Processing Activities (RoPA) reporting. These tools help organizations document their data processing activities and maintain compliance with GDPR Article 30 and similar requirements.
Overview
Privacy notices describe how your organization processes personal data. Each notice can have multiple processing purposes that define specific reasons for data handling (e.g., marketing analytics, fraud detection, customer support).
By linking privacy notices to data products, you create a structured record of which data is processed, why, and under what legal basis — forming the foundation of your RoPA report.
Managing Privacy Notices
Creating a Notice
Navigate to Compliance → Privacy Notices within your space and click New Notice:
- Name — Descriptive title (e.g., "Global Privacy Policy")
- Version — Version identifier (e.g.,
v1.0,v2.1) - Status —
Draft,Active, orArchived - Content URL — Link to the published policy text
- Validity period — Optional
valid_fromandvalid_todates
Notice Lifecycle
Draft → Active → Archived
- Draft — Under development; not yet in effect
- Active — Currently governing data processing
- Archived — Superseded by a newer version; retained for audit
Processing Purposes
Each notice contains one or more processing purposes. Add purposes to describe specific data processing activities:
| Field | Description |
|---|---|
| Name | Short title (e.g., "Marketing Analytics") |
| Description | Detailed explanation of the processing activity |
| Essential | Whether processing is strictly necessary for service delivery |
RoPA Reports
The Record of Processing Activities (RoPA) is a regulatory requirement under GDPR Article 30. Qarion generates this report automatically by correlating privacy notices with data products.
Generating a Report
Navigate to Compliance → RoPA Report to generate a paginated, filterable report showing:
| Column | Description |
|---|---|
| Product | Data product name and type |
| Environment | Production, staging, dev, etc. |
| Lawful Basis | Legal basis for processing (e.g., Legitimate Interest, Consent) |
| Retention Period | How long data is retained |
| Data Subject Categories | Who the data is about (e.g., Customers, Employees) |
| Processing Purpose | Linked purpose from the privacy notice |
| Privacy Notice | The governing notice |
Filtering
Filter the RoPA report by:
- Search — Free-text search across product names, purposes, and lawful basis
- Lawful Basis — Filter by specific legal basis
- Environment — Scope to production, staging, etc.
- Mapping Status — Show
mapped(linked to a notice),unmapped(no notice), orall
Run the RoPA report with mapping_status=unmapped to quickly identify data products that lack privacy notice coverage — these represent compliance gaps that should be addressed.
Integration with Data Products
Privacy notices are linked to data products through processing purposes. When a data product is mapped to a processing purpose, it appears in the RoPA report with all relevant metadata.
This integration means that as your data catalog grows, your compliance documentation grows with it — no separate spreadsheets or manual tracking required.
Related
- GDPR Compliance — How Qarion supports GDPR obligations
- Data Subject Requests — Handling export and erasure requests
- CCPA & HIPAA — Privacy notices in US regulatory context