The DPO of Developing Inc. creates a repository where the documentation concerning the processing is archived. The documents are stored locally in the servers of Developing Inc. The storage architecture of Developing Inc. is redundant to ensure business continuity, and the contents of the servers are periodically backed up.
The developers identify the following mandatory documentation:
Documentation: checklist | ||
Personal data protection policy | ✓ | Applies |
Privacy notice | ✓ | Applies |
Data retention policy | ✓ | Applies |
Data retention schedule | ✓ | Applies |
Record of processing activities (if applicable) | ✓ | Applies (see below) |
Consent form (if applicable) | ✓ | Applies (consent as legal basis) |
Data processing agreement with suppliers | ✗ | Does not apply (no suppliers with access to personal data) |
Data Protection Impact Assessment | ✓ | Applies (see section “Verify if Data Protection Impact Assesment is neccesary“)
|
Contractual clauses for the transfer of personal data (if applicable) | ✗ | Does not apply (no transfer) |
Appointment of an EU representative (if applicable) | ✗ | Does not apply (Developing Inc. based in the European Union) |
Data Breach Response and Notification Procedure | ✓ | Applies |
Data breach register | ✗ | Does not apply (no breach has occurred) |
Data breach notification form to the Supervisory Authority | ✗ | Does not apply (no breach has occurred) |
Data breach notification form to data subjects | ✗ | Does not apply (no breach has occurred) |
In the scenario, Design Inc. does have a record of processing activities. Indeed, even thoughit is a small organization with less than 250 employees, it performs data processing on its employees on a regular basis (e.g., managing salary, organizing corporate retreats, etc.). Developing Inc. has not produced a proprietary template for the record of processing activities and has adopted the one provided by the French Supervisory Authority[1].
References
1The template can be accessed at Commision Nationale Informatique & Libertés, ‘Record of Processing Activities’, August 2019, https://www.cnil.fr/en/record-processing-activities. ↑