Preparing the documenting of processing
Home » AI » Step by step » Business understanding » Preparing the documenting of processing

Whoever processes personal data (including both controllers[1] and processors[2]) needs to document their activities primarily for the use of qualified/relevant Supervisory Authorities.[3] This must be done through records of processing that are maintained centrally by the organization across all its processing activities, and additional documentation that pertains to an individual data processing activity (see the “Documentation of processing” section in the “Main Tools and Actions”). This preliminary stage is the perfect moment to set up a systematic way of collecting the necessary documentation, since it will be the time when the organization conceives and plans the processing activity[4].

Indeed, controllers should create a Data Protection Policy that allows the traceability of information (if approved codes of conduct exist, these should be implemented (see the “Economy of scale for compliance and its demonstration” subsection in the “Accountability” section of the “Principles”). This policy should also make the responsibilities assigned to processors  clear and include in the processing agreement tasks that will be delegated to it in relation to the execution of data subjects’ rights. AI developers should always remember that Article 32(4) of the GDPR clarifies that an important element of security is to ensure that employees act only on instruction and as instructed by the controller (see the “Integrity and confidentiality” section of the “Principles” chapter).

Controllers must always keep in mind that the development of AI tools often involves the use of different datasets. The traceability of the processing, the information about possible re-use of data, and the use of data pertaining to different datasets in different or in the same stages of the life cycle must be ensured by the records.

1See Article 30(1) of the GDPR.

2See Article 30(2) of the GDPR.

3See Articles 58(1)(a), 30(4) and 5(2) of the GDPR.

4Article 25(1) of the GDPR calls this “the time of the determination of the means for processing”.

Skip to content