So it is stated in GDPR that if an organization has to maintain ROPA if
1. it has more than 250 employees
2. It performs processing that is not occasional
We act as both a
1. data processor for customers where we are processing personal data on a daily basis
2. data controller for our own employee data, marketing, and sales data
My question is are we still bound to maintain ROPA?