Create a repository for supporting documentation
Home » Biometrics » Case study » Preparation Phase » Create a repository for supporting documentation

The DPO of Developing Inc. creates a repository where the documentation concerning the processing is archived. The documents are stored locally in the servers of Developing Inc. The storage architecture of Developing Inc. is redundant to ensure business continuity, and the contents of the servers are periodically backed up.

The developers identify the following mandatory documentation:

Documentation: checklist
Personal data protection policy Applies
Privacy notice Applies
Data retention policy Applies
Data retention schedule Applies
Record of processing activities (if applicable) Applies (see below)
Consent form (if applicable) Applies (consent as legal basis)
Data processing agreement with suppliers Does not apply (no suppliers with access to personal data)
Data Protection Impact Assessment Applies (see section “Verify if Data Protection Impact Assesment is neccesary“)

Contractual clauses for the transfer of personal data (if applicable) Does not apply (no transfer)
Appointment of an EU representative (if applicable) Does not apply (Developing Inc. based in the European Union)
Data Breach Response and Notification Procedure Applies
Data breach register Does not apply (no breach has occurred)
Data breach notification form to the Supervisory Authority Does not apply (no breach has occurred)
Data breach notification form to data subjects Does not apply (no breach has occurred)

In the scenario, Design Inc. does have a record of processing activities. Indeed, even thoughit is a small organization with less than 250 employees, it performs data processing on its employees on a regular basis (e.g., managing salary, organizing corporate retreats, etc.). Developing Inc. has not produced a proprietary template for the record of processing activities and has adopted the one provided by the French Supervisory Authority[1].




1The template can be accessed at Commision Nationale Informatique & Libertés, ‘Record of Processing Activities’, August 2019,


Skip to content