Prepare the documentation of processing
Home » IoT » Accountability and oversight » Prepare the documentation of processing

Controllers must always keep in mind that the development of IoT solutions often involves the use of different datasets. The traceability of the processing, the information about possible re-use of data, and the use of data pertaining to different datasets in different or in the same stages of the life cycle must be ensured by the records, since the controller shall be responsible for, and be able to demonstrate compliance with article 5 of the GDPR (See “Accountability principle” in the “Principles” section of Part II of these Guidelines). Whoever processes personal data (including both, controllers and processors) needs to document their activities primarily for the use of qualified/relevant Supervisory Authorities (see the “Documentation of processing” in the “Main Tools and Actions”, Part II of these Guidelines), but also, when appropriate, by data subjects and other stakeholders.

This must be done, among other things, through records of processing activities that are maintained centrally by the organization across all its processing activities, and additional documentation that pertains to an individual data processing activity (see the “Documentation of processing” section in the “Main Tools and Actions”, Part II of these Guidelines).

The first stages of the project development are the perfect moment to set up a systematic way of collecting the necessary documentation, since it will be the time when the organization conceives and plans the processing activity[1].

Checklist. Documentation

  • Contact the office/person who is keeping the records of processing for your organization.
    • If necessary, your Data Protection Officer can help establish the contact.
  • Inform them early on that you intend to process personal data.
    • Your processing activity needs to be entered in the records before processing starts.
  • Follow their instructions of
    • what information you need to provide for the records of processing,
    • when you need to send updates of this information.

Additional documentation pertaining to a single processing activity).
The following items must be documented:

  • Assessment whether the processing activity likely results in a high risk to the rights and freedoms of natural persons.
  • A Data Protection Impact Assessment where the above assessment yields an affirmative result.
  • Potential consultation of the competent supervisory authority prior to processing.
  • Requirements and acceptance tests for the purchase and/or development of the employed software, hardware, and infrastructure.
  • Implemented technical and organizational measures.
  • Regular testing, assessing and evaluating the effectiveness of technical and organizational measures.
  • Requirements and acceptance tests for the selection of processors.
  • Contracts stipulated with processors.
  • Possible inspections and audits of the processor.
  • Method to collect consent.
  • Demonstrations of individual expressions of consent.
  • Information provided to data subjects.
  • Implementation of data subject rights.
  • Actual handling of data subject rights.
  • Possible breach notifications to the competent supervisory authority.
  • Possible communication of data breaches to concerned data subject.
  • Any other communication with the competent supervisory authority.



1Article 25(1) of the GDPR calls this “the time of the determination of the means for processing”.

Skip to content