• Contact the office/person who is keeping the records of processing for your organization.
  • If necessary, your Data Protection Officer can help establish the contact.
• Inform them early on that you intend to process personal data.
  • Your processing activity needs to be entered in the records before processing starts.
• Follow their instructions of
  • what information you need to provide for the records of processing,
  • when you need to send updates of this information.

Additional documentation pertaining to a single processing activity.

The following items must be documented:

• Assessment whether the processing activity likely results in a high risk to the rights and freedoms of natural persons.
• A Data Protection Impact Assessment where the above assessment yields an affirmative result.
• Potential consultation of the competent supervisory authority prior to processing.
• Requirements and acceptance tests for the purchase and/or development of the employed software, hardware, and infrastructure.
• Implemented technical and organizational measures.
• Regular testing, assessing and evaluating the effectiveness of technical and organizational measures.
• Requirements and acceptance tests for the selection of processors.
• Contracts stipulated with processors.
• Possible inspections and audits of the processor.
• Method to collect consent.
• Demonstrations of individual expressions of consent.
• Information provided to data subjects.
• Implementation of data subject rights.
• Actual handling of data subject rights.
• Possible breach notifications to the competent supervisory authority.
• Possible communication of data breaches to concerned data subject.
• Any other communication with the competent supervisory authority.