Fill the RoPA — the legal calls
The data work is done: Regixo mapped your systems and filled in the mechanical facts. What remains are the judgments only a person can make — a lawful basis for each activity, retention, and the sensitive-data grounds. Regixo suggests a starting point for each; you decide, confirm, and sign.
REGIXO_SIGNER_EMAIL; without it you get SIGNER_REQUIRED), and a confirmed
answer that names nobody is refused outright — ROPA_CONFIRM_UNATTRIBUTED — even on
import. No agent may confirm on your behalf: the read-only MCP server has no tool that could, and no
agent sentence is offered for the command that does.The fields you fill
Each processing activity has these legal fields. The mechanical ones (data categories, role, the transfers suggestion) are already filled from the map; the rest are yours.
| Field | What it is | Starts as |
|---|---|---|
| Purpose | Why you process this data. | needs you (a suggestion if the table name is recognisable) |
| Lawful basis | Your Article 6(1) ground. | needs you / a suggestion |
| Retention | How long you keep it. | needs you / a suggestion |
| Art. 9(2) ground | Extra ground for special-category data — only shown if present. | needs you |
| Art. 10 condition | Condition for criminal-offence data — only if present. | needs you |
| Transfers outside the EU | Whether data leaves the EU. | auto-suggested from the source region |
| Recipients · Data subjects | Who receives it; whose data it is. | needs you |
| Security measures | How it’s protected. | needs you (never auto-filled) |
| Controller · DP contact | Your organisation and its data-protection contact (Art. 30(1)(a)). | from regixo.yml or the claim form |
Lawful basis (Article 6(1))
Every activity needs exactly one Article 6(1) ground. These are the six, exactly as Regixo labels them, with a plain-English gloss:
| Ground | In plain English | Typically fits |
|---|---|---|
Art. 6(1)(a) consent | The person agreed to it. | Marketing, newsletters, optional cookies. |
Art. 6(1)(b) contract | You need it to deliver what they signed up for. | Customer accounts, orders, subscriptions. |
Art. 6(1)(c) legal obligation | A law requires you to hold it. | Invoices, tax records, payroll. |
Art. 6(1)(d) vital interests | Someone’s life depends on it. | Rare — emergency/medical situations. |
Art. 6(1)(e) public task | You act in the public interest / official authority. | Public bodies and delegated tasks. |
Art. 6(1)(f) legitimate interests | A genuine business reason that doesn’t override the person’s rights. | Fraud prevention, security logs, network operation. |
How Regixo suggests one
Regixo reads the activity’s table names and offers a starting suggestion when it recognises a pattern. It’s a transparent heuristic, not a legal engine:
| If the tables look like… | Suggested starting point |
|---|---|
| user, account, customer, profile, subscription | Art. 6(1)(b) contract |
| invoice, payment, charge, billing, order | Art. 6(1)(c) legal obligation / 6(1)(b) contract |
| employee, payroll, hr, staff | Art. 6(1)(c) legal obligation / 6(1)(b) contract |
| log, audit, event, session | Art. 6(1)(f) legitimate interests |
| marketing, campaign, newsletter, subscriber | Art. 6(1)(a) consent |
| patient, health, medical, clinical | a care-provision basis — and an Art. 9 ground (below) |
Choosing (f) legitimate interests — the balancing test
Legitimate interests is flexible but comes with homework: you must be able to show you weighed your interest against the person’s rights and freedoms (a “balancing test”), and that a reasonable person would expect the processing. Record that reasoning alongside the field. If the data is sensitive or the person wouldn’t expect it, another basis is usually safer.
Special category — Article 9(2)
Some data is extra-sensitive: health, ethnicity, religion, political opinions, trade-union membership, biometrics, sexual orientation. When Regixo detects it (its own Art. 9 badge), the activity needs a second ground under Article 9(2) in addition to your Article 6 basis. The ten grounds, exactly as Regixo lists them:
9(2)(a) | explicit consent | 9(2)(f) | legal claims |
9(2)(b) | employment & social-security law | 9(2)(g) | substantial public interest |
9(2)(c) | vital interests | 9(2)(h) | health or social care |
9(2)(d) | not-for-profit body | 9(2)(i) | public health |
9(2)(e) | made public by the data subject | 9(2)(j) | archiving, research or statistics |
The Art. 9 ground is a separate field from the lawful basis, so your Article 6 basis stays a clean single choice.
Criminal-offence data — Article 10
Data about criminal convictions or offences (its own Art. 10 class, never an Art. 9 ground) may only be processed under official authority or where authorised by Union or Member-State law. Regixo asks you to confirm that condition — it never proposes an Art. 9 ground for it.
Retention
How long you keep the data, and why. Regixo suggests a common default when the activity is recognisable — you confirm or replace it:
- Billing / invoices → 7 years (statutory tax retention)
- Employee records → 6 years after leaving (varies by member state)
- Marketing → until consent is withdrawn
- Logs / sessions → 30–90 days
- Customer accounts → account lifetime + statutory minimum
No recognisable pattern → the field is needs you. Set a concrete period tied to a reason, not “as long as necessary”.
Transfers, recipients, subjects, security
- Transfers outside the EU
- Auto-suggested from each source’s region — “None identified” when every source is in the EU, or “Yes — a source is hosted outside the EU” otherwise. Confirm or correct it, and note the safeguard (e.g. Standard Contractual Clauses) if data does leave.
- Recipients
- Who the data is disclosed to (processors, authorities). Regixo suggests the destination systems it can trace from cross-system lineage; you confirm those and add the rest. Enter categories, comma-separated.
- Data subjects
- Whose data it is — customers, employees, patients. Categories, not names.
- Security measures
- How the data is protected. Never auto-filled — describe your controls, or set them once in your organisation profile so they apply across activities.
How to fill & confirm
Filling and confirming happen on the claimed record. Read it signed out and every open legal call already shows itself: the value is blank, the badge says needs you, and a + Fill this link sits beside it. Signed out that link takes you to sign-in; signed in, it opens an editor in place. One activity, read signed out — Recipients and Security measures are still open, Retention has already been confirmed by a person:
Record of Processing Activities
DRAFT · not yet defensible-
Manage customer accountsaccounts · customersRegixo found: Date of birth, Email, Financial (card/IBAN), Identifier, Name · suggested basis Art. 6(1)(b) contract suggested⚠ Needs you: confirm the legal fields (purpose, lawful basis, retention); add who you share this data with (recipients) — none could be detected from the schema.
Activity detail & gaps
Purpose Create and run customer accounts and subscriptions so people can use your product or service. suggested Personal data Date of birth, Email, Financial (card/IBAN), Identifier, Name found Data subjects Customers suggested Recipients — none detected from your schema; add who you share this with needs you+ Fill this Lawful basis You need it to provide your product or service.Art. 6(1)(b) contract suggested Retention 5 years after account closure (AML) confirmed confirmed by your compliance team, 10 Jul 2026 Transfers outside the EU None identified from source regions suggested Security measures Describe them — or set once in your org profile needs you+ Fill this A person confirms legal fields — not Regixo. Purpose, lawful basis, retention and recipients are legal calls only your compliance owner makes. Regixo drafts them from your data; a person reviews and signs. This part isn’t yours to finish.
Here is a legal-basis row mid-fill — the inline editor open on the lawful-basis call, with the approver's confirm checkbox:
Activity detail & gaps — Manage customer accounts
| Purpose | Operate and support customer accounts found |
|---|---|
| Personal data | name, email, postal address found |
| Data subjects | Customers found |
| Lawful basis |
— no lawful basis recorded yet needs you
+ Fill this |
| Retention | — none recorded needs you+ Fill this |
Where each surface lands — and the honest limit of each:
On the claimed record, fill each call where you see it, step by step:
- Open the activity and read its detail table. Auto-filled facts carry a found badge; open legal calls carry needs you.
- On a blank row press + Fill this; a row already filled shows ✎ edit instead.
- Pick or type the value. Lawful basis is a picker — — pick an Art. 6(1) basis — lists all six, with a free-text …or type the basis in your own words underneath; special-category data adds — pick an Art. 9(2) ground — (all ten).
- Press Save. A preparer’s value saves as provided by you — a starting point to confirm, never a confirmation.
- An approver ticks Confirm as legally reviewed — your act as approver; Regixo never confirms a legal field for you. to confirm it, or presses Revert to Regixo’s suggestion. Confirming records who confirmed it and when.
The Still needs you index lists every open field, so you always know what is left. A tour: the compliance portal tour.
The free local record (regixo open) is read-only — filling
and confirming happen on the forwarded claim portal, or from the terminal with
regixo annotate.
$ regixo annotate set <activityKey> lawfulBasis "Art. 6(1)(b) contract" --confirm
This one’s yours. Only a person can confirm a legal field.
Confirming needs a signer identity (REGIXO_SIGNER_EMAIL); without it the value saves as a draft fill. Detail below.
A different surface. An assistant registered against the read-only
regixo mcp server reads the RoPA DRAFT (get_compliance_state) —
which legal fields are still suggested, and which need you. Neither agent surface can
confirm a legal field: no read tool exists to do it, and no sentence is offered for the command
that does.
Two ways to make the calls, depending on who you are:
In the portal (the compliance team)
Open each activity on your claimed record, choose the field’s value, and confirm. Roles apply: a preparer fills the fields; an approver confirms and signs. A confirmed field records who confirmed it and when.
From your project (the engineer, optional)
An engineer can pre-fill or confirm legal fields from the terminal with regixo annotate.
Confirming requires a signer identity, so the record knows who made the call:
$ export REGIXO_SIGNER_EMAIL=dpo@acme.example $ regixo annotate set <activityKey> lawfulBasis "Art. 6(1)(b) contract" --confirm
This one’s yours. Only a person can confirm a legal field.
--confirm (or without REGIXO_SIGNER_EMAIL) the value saves as a
draft fill, not a confirmation — you’ll see SIGNER_REQUIRED. And a confirmed legal answer
that names no one who confirmed it is refused outright (ROPA_CONFIRM_UNATTRIBUTED), even
on import. Confirmation is always a named human act.Rebuild the draft files — regixo report
regixo report re-reads the catalog and rewrites the draft files on disk, stamped
DRAFT. You rarely need it — everything that reads the catalog live is already
current the moment you save: the portal at regixo open, and the record
regixo invite sends. Both rebuild the draft on the spot.
The files on disk do not. regixo start and regixo watch write
RoPA_DRAFT.json. The human-readable RoPA_DRAFT.html — the one you would
actually email someone — is written in one place only: here.
“Rebuild my Regixo draft paperwork from the current map.”
Show the commandHide the commandShow the sentenceHide the sentence
$ regixo reportIt re-reads the catalog and rewrites both files, stamped DRAFT. Add
--dora (or set dora: true in regixo.yml) and it writes the
DORA register draft too.
When you actually need it: only when you are handing someone the
file. Fill a legal answer with regixo annotate, email
RoPA_DRAFT.html without re-running this, and you sent a file that does not contain
your answer — the CLI said “✓ Saved your answer”, and it had: to the catalog, not to that file.
regixo invite rebuilds the record as it sends, so the question never arises.
Show what it prints in the terminalHide the terminal outputShow what your agent reportsHide what your agent reports
RoPA DRAFT → ./RoPA_DRAFT.json (3 activities, stamped DRAFT) auto-filled 14 field(s) · 10 need you · 0 special-category (Art. 9) · coverage 2/4 sources read it: open RoPA_DRAFT.html