Records of Processing Activities (ROPA) Policy

Home

Last Updated: 22 Oct 2025

Effective Date: 18 september 2023

Issued by: Neobank Capital

Applies to: All departments, subsidiaries, contractors, and third-party processors acting on behalf of Neobank Capital.

1. Purpose

The purpose of this policy is to define how Neobank Capital maintains and manages its Records of Processing Activities (ROPA) to ensure full compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Maintaining accurate ROPA ensures transparency, accountability, and traceability in all personal data processing operations conducted across our decentralized fintech platforms and global operations.

2. Scope

This policy applies to all processing activities that involve personal data or personally identifiable information (PII) handled by:

  1. Neobank Capital and its affiliates;
  2. Employees, contractors, and consultants;
  3. Vendors and partners acting as data processors.

It covers all systems, applications, platforms, and databases used for delivering financial technology and related services.

3. Legal Basis

Under Article 30 of the GDPR, both data controllers and data processors must maintain written records of all categories of processing activities under their responsibility.

These records must be made available to the Supervisory Authority upon request.

4. Responsibility

The following roles share responsibility for maintaining the ROPA:

  1. Data Protection Officer (DPO):
  2. Owns and oversees the ROPA, ensuring completeness, accuracy, and annual review.
  3. Department Heads:
  4. Identify and document processing activities within their respective business areas.
  5. Data Processors and Third Parties:
  6. Must maintain and provide equivalent processing records when acting on behalf of Neobank Capital.

5. Structure of the ROPA

Neobank Capital maintains two separate records:

5.1 Record of Processing Activities (as Data Controller)

Includes:

  1. Name and contact details of the controller and, if applicable, the joint controller and DPO.
  2. Purpose(s) of each processing activity.
  3. Categories of data subjects (e.g., users, employees, contractors).
  4. Categories of personal data processed (e.g., contact details, KYC information, transaction data).
  5. Categories of recipients (e.g., service providers, payment networks, analytics providers).
  6. Transfers of personal data to third countries or international organizations, including transfer safeguards.
  7. Retention periods for each category of data.
  8. General description of technical and organizational security measures (per GDPR Article 32).

5.2 Record of Processing Activities (as Data Processor)

Includes:

  1. Name and contact details of Neobank Capital (processor) and each controller on whose behalf we act.
  2. Categories of processing carried out for each controller.
  3. Transfers of data to third countries and safeguards used.
  4. General security measures applied to the data.

6. Data Categories Included in the ROPA

Typical processing activities at Neobank Capital include (non-exhaustive):

Processing Purpose

Data Subject

Data Category

Legal Basis

Retention Period

Recipients

User onboarding & KYC verification

Customers

Identification data, government ID, proof of address

Legal obligation (AML/KYC laws)

5 years after account closure

Compliance vendors, regulators

Account management & transactions

Customers

Financial, transactional, and account data

Contract performance

Duration of account

Payment networks, partners

Customer support

Customers

Contact info, support tickets

Legitimate interest

2 years

Internal teams

Marketing communications

Customers, prospects

Contact data, preferences

Consent

Until consent withdrawal

Marketing platforms

HR and payroll

Employees, contractors

Personal and employment data

Legal obligation / Contract

6 years post-employment

Payroll providers, tax authorities

Platform analytics

Website visitors, app users

Usage data, IP, cookies

Legitimate interest

1 year

Analytics providers

7. Maintenance and Updates

  1. The ROPA is stored securely in digital format, within Neobank Capital’s internal compliance system.
  2. Updates must be made when:
  3. A new data processing activity is introduced;
  4. An existing activity is modified or discontinued; or
  5. There are changes to legal bases, recipients, or transfer mechanisms.
  6. The ROPA is reviewed at least annually by the DPO to ensure ongoing accuracy.

8. Data Minimization and Retention

Each processing activity recorded in the ROPA must specify the minimum data necessary for the stated purpose and its retention period.

Data must not be retained longer than required for business, contractual, or legal obligations.

9. Third-Party Processors

When Neobank Capital engages third parties to process personal data:

  1. The Data Processing Agreement (DPA) must require the processor to maintain a ROPA.
  2. Processors must make their records available upon request to Neobank Capital or the relevant authority.

10. Documentation and Audit Readiness

  1. The ROPA is maintained as part of Neobank Capital’s Data Protection Management Framework (DPMF).
  2. It must be readily accessible to supervisory authorities upon request.
  3. The DPO ensures version control, traceability, and integrity of all record updates.

11. Compliance and Enforcement

Failure to maintain accurate processing records may result in disciplinary action or termination of vendor contracts.

All employees and contractors are required to cooperate fully with ROPA maintenance and audits.

12. Contact Information

Data Protection Officer (DPO)

📧 privacy@neobank.capital

📍 Neobank Capital – Global Privacy Office

13. Review and Revision

This policy is reviewed annually or upon any significant changes to Neobank Capital’s business model, technologies, or legal environment.

All revisions will be communicated to relevant teams and logged in the ROPA system.

On this Page
Contents 1. Purpose 2. Scope 3. Legal Basis 4. Responsibility 5. Structure of the ROPA 6. Data Categories Included in the ROPA 7. Maintenance and Updates 8. Data Minimization and Retention 9. Third-Party Processors 10. Documentation and Audit Readiness 11. Compliance and Enforcement 12. Contact Information 13. Review and Revision

© 2025 Neobank Capital Legal Center | Privacy & Compliance Hub

Support
Marketing
...