Regixo docs
EU compliance · optional · compliance team

Fill the RoPA — the legal calls

The data work is done: Regixo mapped your systems and filled in the mechanical facts. What remains are the judgments only a person can make — a lawful basis for each activity, retention, and the sensitive-data grounds. Regixo suggests a starting point for each; you decide, confirm, and sign.

Optional · EU compliance module You need this only if your company must keep a GDPR Article 30 RoPA or a DORA register — it is an optional module on top of the free data catalog. If that is not you, you can skip this section.
The one rule that governs this page Regixo never sets a legal field to “confirmed” on its own. Purpose, lawful basis, retention and transfers are legal judgments — the tool suggests and sanity-checks; a named human confirms. A confirmation must carry the name of the person who made it (REGIXO_SIGNER_EMAIL; without it you get SIGNER_REQUIRED), and a confirmed answer that names nobody is refused outright — ROPA_CONFIRM_UNATTRIBUTED — even on import. No agent may confirm on your behalf: the read-only MCP server has no tool that could, and no agent sentence is offered for the command that does.

The fields you fill

Each processing activity has these legal fields. The mechanical ones (data categories, role, the transfers suggestion) are already filled from the map; the rest are yours.

FieldWhat it isStarts as
PurposeWhy you process this data.needs you (a suggestion if the table name is recognisable)
Lawful basisYour Article 6(1) ground.needs you / a suggestion
RetentionHow long you keep it.needs you / a suggestion
Art. 9(2) groundExtra ground for special-category data — only shown if present.needs you
Art. 10 conditionCondition for criminal-offence data — only if present.needs you
Transfers outside the EUWhether data leaves the EU.auto-suggested from the source region
Recipients · Data subjectsWho receives it; whose data it is.needs you
Security measuresHow it’s protected.needs you (never auto-filled)
Controller · DP contactYour organisation and its data-protection contact (Art. 30(1)(a)).from regixo.yml or the claim form

Lawful basis (Article 6(1))

Every activity needs exactly one Article 6(1) ground. These are the six, exactly as Regixo labels them, with a plain-English gloss:

GroundIn plain EnglishTypically fits
Art. 6(1)(a) consentThe person agreed to it.Marketing, newsletters, optional cookies.
Art. 6(1)(b) contractYou need it to deliver what they signed up for.Customer accounts, orders, subscriptions.
Art. 6(1)(c) legal obligationA law requires you to hold it.Invoices, tax records, payroll.
Art. 6(1)(d) vital interestsSomeone’s life depends on it.Rare — emergency/medical situations.
Art. 6(1)(e) public taskYou act in the public interest / official authority.Public bodies and delegated tasks.
Art. 6(1)(f) legitimate interestsA genuine business reason that doesn’t override the person’s rights.Fraud prevention, security logs, network operation.
Guidance, not legal advice The “typically fits” column and Regixo’s per-activity suggestions are a starting point to help you think it through — not a decision, and not legal advice. The right basis depends on your specific facts, and a named person on your team makes the call and signs. Where Regixo isn’t confident it marks the field needs you rather than guess.

How Regixo suggests one

Regixo reads the activity’s table names and offers a starting suggestion when it recognises a pattern. It’s a transparent heuristic, not a legal engine:

If the tables look like…Suggested starting point
user, account, customer, profile, subscriptionArt. 6(1)(b) contract
invoice, payment, charge, billing, orderArt. 6(1)(c) legal obligation / 6(1)(b) contract
employee, payroll, hr, staffArt. 6(1)(c) legal obligation / 6(1)(b) contract
log, audit, event, sessionArt. 6(1)(f) legitimate interests
marketing, campaign, newsletter, subscriberArt. 6(1)(a) consent
patient, health, medical, clinicala care-provision basis — and an Art. 9 ground (below)
Choosing (f) legitimate interests — the balancing test

Legitimate interests is flexible but comes with homework: you must be able to show you weighed your interest against the person’s rights and freedoms (a “balancing test”), and that a reasonable person would expect the processing. Record that reasoning alongside the field. If the data is sensitive or the person wouldn’t expect it, another basis is usually safer.

Special category — Article 9(2)

Some data is extra-sensitive: health, ethnicity, religion, political opinions, trade-union membership, biometrics, sexual orientation. When Regixo detects it (its own Art. 9 badge), the activity needs a second ground under Article 9(2) in addition to your Article 6 basis. The ten grounds, exactly as Regixo lists them:

9(2)(a)explicit consent9(2)(f)legal claims
9(2)(b)employment & social-security law9(2)(g)substantial public interest
9(2)(c)vital interests9(2)(h)health or social care
9(2)(d)not-for-profit body9(2)(i)public health
9(2)(e)made public by the data subject9(2)(j)archiving, research or statistics

The Art. 9 ground is a separate field from the lawful basis, so your Article 6 basis stays a clean single choice.

Criminal-offence data — Article 10

Data about criminal convictions or offences (its own Art. 10 class, never an Art. 9 ground) may only be processed under official authority or where authorised by Union or Member-State law. Regixo asks you to confirm that condition — it never proposes an Art. 9 ground for it.

Retention

How long you keep the data, and why. Regixo suggests a common default when the activity is recognisable — you confirm or replace it:

No recognisable pattern → the field is needs you. Set a concrete period tied to a reason, not “as long as necessary”.

Transfers, recipients, subjects, security

Transfers outside the EU
Auto-suggested from each source’s region — “None identified” when every source is in the EU, or “Yes — a source is hosted outside the EU” otherwise. Confirm or correct it, and note the safeguard (e.g. Standard Contractual Clauses) if data does leave.
Recipients
Who the data is disclosed to (processors, authorities). Regixo suggests the destination systems it can trace from cross-system lineage; you confirm those and add the rest. Enter categories, comma-separated.
Data subjects
Whose data it is — customers, employees, patients. Categories, not names.
Security measures
How the data is protected. Never auto-filled — describe your controls, or set them once in your organisation profile so they apply across activities.

How to fill & confirm

Filling and confirming happen on the claimed record. Read it signed out and every open legal call already shows itself: the value is blank, the badge says needs you, and a + Fill this link sits beside it. Signed out that link takes you to sign-in; signed in, it opens an editor in place. One activity, read signed out — Recipients and Security measures are still open, Retention has already been confirmed by a person:

what you'll see — one activity on the claimed record, signed out · each open legal call blank, badged needs you, with + Fill this beside it
Regixo compliance portal · EU-hosted

Record of Processing Activities

DRAFT · not yet defensible
  • Manage customer accountsaccounts · customers
    Regixo found: Date of birth, Email, Financial (card/IBAN), Identifier, Name · suggested basis Art. 6(1)(b) contract suggested
    ⚠ Needs you: confirm the legal fields (purpose, lawful basis, retention); add who you share this data with (recipients) — none could be detected from the schema.
    Activity detail & gaps
    PurposeCreate and run customer accounts and subscriptions so people can use your product or service. suggested
    Personal dataDate of birth, Email, Financial (card/IBAN), Identifier, Name found
    Data subjectsCustomers suggested
    Recipients— none detected from your schema; add who you share this with needs you+ Fill this
    Lawful basisYou need it to provide your product or service.Art. 6(1)(b) contract suggested
    Retention5 years after account closure (AML) confirmed confirmed by your compliance team, 10 Jul 2026
    Transfers outside the EUNone identified from source regions suggested
    Security measuresDescribe them — or set once in your org profile needs you+ Fill this
    A person confirms legal fields — not Regixo. Purpose, lawful basis, retention and recipients are legal calls only your compliance owner makes. Regixo drafts them from your data; a person reviews and signs. This part isn’t yours to finish.

Here is a legal-basis row mid-fill — the inline editor open on the lawful-basis call, with the approver's confirm checkbox:

what you'll see — the compliance portal · fill a legal field (signed in, as an approver) — a signed-in state; not reproducible from a signed-out capture
Regixo compliance portal · EU-hostedDana Kessler · approver · sign out
Activity detail & gaps — Manage customer accounts
PurposeOperate and support customer accounts found
Personal dataname, email, postal address found
Data subjectsCustomers found
Lawful basis — no lawful basis recorded yet needs you
+ Fill this
Retention— none recorded needs you+ Fill this
A person confirms legal fields — not Regixo. Purpose, lawful basis and retention are legal judgments; Regixo suggests and sanity-checks, your approver confirms and signs.

Where each surface lands — and the honest limit of each:

▤ In the portal

On the claimed record, fill each call where you see it, step by step:

  1. Open the activity and read its detail table. Auto-filled facts carry a found badge; open legal calls carry needs you.
  2. On a blank row press + Fill this; a row already filled shows ✎ edit instead.
  3. Pick or type the value. Lawful basis is a picker — — pick an Art. 6(1) basis — lists all six, with a free-text …or type the basis in your own words underneath; special-category data adds — pick an Art. 9(2) ground — (all ten).
  4. Press Save. A preparer’s value saves as provided by you — a starting point to confirm, never a confirmation.
  5. An approver ticks Confirm as legally reviewed — your act as approver; Regixo never confirms a legal field for you. to confirm it, or presses Revert to Regixo’s suggestion. Confirming records who confirmed it and when.

The Still needs you index lists every open field, so you always know what is left. A tour: the compliance portal tour.

The free local record (regixo open) is read-only — filling and confirming happen on the forwarded claim portal, or from the terminal with regixo annotate.

$ At the terminal
run
$ regixo annotate set <activityKey> lawfulBasis "Art. 6(1)(b) contract" --confirm

This one’s yours. Only a person can confirm a legal field.

Confirming needs a signer identity (REGIXO_SIGNER_EMAIL); without it the value saves as a draft fill. Detail below.

✦ A connected assistant

A different surface. An assistant registered against the read-only regixo mcp server reads the RoPA DRAFT (get_compliance_state) — which legal fields are still suggested, and which need you. Neither agent surface can confirm a legal field: no read tool exists to do it, and no sentence is offered for the command that does.

Two ways to make the calls, depending on who you are:

In the portal (the compliance team)

Open each activity on your claimed record, choose the field’s value, and confirm. Roles apply: a preparer fills the fields; an approver confirms and signs. A confirmed field records who confirmed it and when.

From your project (the engineer, optional)

An engineer can pre-fill or confirm legal fields from the terminal with regixo annotate. Confirming requires a signer identity, so the record knows who made the call:

run
$ export REGIXO_SIGNER_EMAIL=dpo@acme.example
$ regixo annotate set <activityKey> lawfulBasis "Art. 6(1)(b) contract" --confirm

This one’s yours. Only a person can confirm a legal field.

No anonymous confirmations Without --confirm (or without REGIXO_SIGNER_EMAIL) the value saves as a draft fill, not a confirmation — you’ll see SIGNER_REQUIRED. And a confirmed legal answer that names no one who confirmed it is refused outright (ROPA_CONFIRM_UNATTRIBUTED), even on import. Confirmation is always a named human act.

Rebuild the draft files — regixo report

regixo report re-reads the catalog and rewrites the draft files on disk, stamped DRAFT. You rarely need it — everything that reads the catalog live is already current the moment you save: the portal at regixo open, and the record regixo invite sends. Both rebuild the draft on the spot.

The files on disk do not. regixo start and regixo watch write RoPA_DRAFT.json. The human-readable RoPA_DRAFT.html — the one you would actually email someone — is written in one place only: here.

say

“Rebuild my Regixo draft paperwork from the current map.”

Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo report
then

It re-reads the catalog and rewrites both files, stamped DRAFT. Add --dora (or set dora: true in regixo.yml) and it writes the DORA register draft too.

When you actually need it: only when you are handing someone the file. Fill a legal answer with regixo annotate, email RoPA_DRAFT.html without re-running this, and you sent a file that does not contain your answer — the CLI said “✓ Saved your answer”, and it had: to the catalog, not to that file. regixo invite rebuilds the record as it sends, so the question never arises.

Show what it prints in the terminalHide the terminal outputShow what your agent reportsHide what your agent reports
example output
RoPA DRAFT → ./RoPA_DRAFT.json (3 activities, stamped DRAFT)
auto-filled 14 field(s) · 10 need you · 0 special-category (Art. 9) · coverage 2/4 sources
read it: open RoPA_DRAFT.html
Honest about the suggestions The suggestion heuristic is a convenience, pending legal review — treat every suggestion as a prompt to think, never as Regixo choosing your basis. The signed record is exactly what a human confirmed.
REGIXO — documentation · machines suggest, humans sign · not legal advice · Glossary