The GDPR requires data controllersnot only to comply with data protection obligations, but also to be able to demonstrate their compliance withsuch obligations and with the principles enshrined in the norm. This means the data controller shallkeep appropriate records and documentation pertaining to the data processing and the governance of such processing.
Apart from a limited set of documents that are clearly mandated (such as the record of processing activities required by Article 30 GDPR) it is a duty of the data controller to identify what are the necessary documents to demonstrate compliance. The following tables presents the list of documentsmandated by the GDPR with the related location in the text. It should be considered a minimum baseline rather thanan exhaustive checklist. Indeed, although not mandated, additional documents might be necessary to demonstrate compliance (e.g., reports of prior consultations with supervisory authorities, description of implemented technical and organizational measures, etc.) ((see the “Documentation of processing personal data” subsection in the Main Actions and Tools section of the General Part of these Guidelines)
|1||Personal data protection policy||Article 24.2|
|2||Privacy notice||Articles 12, 13, 14|
|3||Data Retention Policy||Articles 5, 13, 17, and 30|
|4||Data Retention Schedule||Article 30|
|5||Record of processing activities (if applicable)||Article 30|
|6||Consent form (if applicable)||Articles 6, 7, 9|
|7||Data processing agreement with suppliers||Articles 28, 32, 82|
|8||Data Protection Impact Assessment||Article 35|
|9||Appointment of an EU representative (if applicable)||Article 27|
|10||Data Breach Response and Notification Procedure||Articles 4, 33, 34|
|11||Data breach notification to Supervisory Authority (if applicable)||Article 33|
|12||Data breach notification to data subjects (if applicable)||Article 34|
Some documentation is necessary only when specific criteria apply.
|Conditionally mandated documentation|
|Record of processing activities||If 250 employees or more, unless the processing is likely to result in a risk to the rights and freedoms of data subjects, is not occasional, or includes special categories of data or personal data relating to criminal convictions and offences|
|Consent form||If processing relies on consent as legal basis, and if the processing has been collected in written form|
|Appointment of an EU representative||If processing involves subjects in the EU andis performed by controller or processor not established in the EU, unless it is occasional, does not involve large scale processing, or special categories of data, or personal data relating to criminal convictions and offences, and is unlikely to result in risk to the rights and freedoms of natural persons|
|Data breach notification to Supervisory Authority||Only when a data breach that is likely to result in a risk to the rights and freedoms of natural persons occurs|
|Data breach notification to data subjects||When a data breach that is likely to result in a high risk to the rights and freedoms of natural persons occurs or,when it is unlikely to result in a high risk, if the supervisory authority requires to do so|
To make record keeping easierand consistent, the researcher should prepare appropriate templates for the steps to be documented or consult with the DPO or their legal department in lieu of the DPO, to check whether templates exist within the organization.
Before starting with the collection and processing of personal data, the researchers should collect data protection documentation already available in their organization, and create a specific dossier containing all the relevant documentation. New documents should be added to the dossier as soon as they are created. The purpose of the dossier is to record the steps and decisions taken by the researchers and other data protection stakeholders involved in the research activity and to present enough information to demonstrate that compliance has been maintained throughout the process.
The research team should look at the dossier not as a mere recording obligation. The dossier should act as the formalization of practical step that the research team takes to ensure the safeguards of the personal data. For instance, having a Data Breach Response and Notification Procedure is not sufficient. Researchers should be able to demonstrate that the procedure can be swiftly and effectively put into action, should necessity arise.
1Indeed, the GDPR does not mandate the consent to be collected in written form. For more information, see European Data Protection Board, ‘Guidelines 05/2020 on Consent’, 16. ↑