Controllers must always keep in mind that the development of IoT solutions often involves the use of different datasets. The traceability of the processing, the information about possible re-use of data, and the use of data pertaining to different datasets in different or in the same stages of the life cycle must be ensured by the records, since the controller shall be responsible for, and be able to demonstrate compliance with article 5 of the GDPR (See “Accountability principle” in the “Principles” section of Part II of these Guidelines). Whoever processes personal data (including both, controllers and processors) needs to document their activities primarily for the use of qualified/relevant Supervisory Authorities (see the “Documentation of processing” in the “Main Tools and Actions”, Part II of these Guidelines), but also, when appropriate, by data subjects and other stakeholders.
This must be done, among other things, through records of processing activities that are maintained centrally by the organization across all its processing activities, and additional documentation that pertains to an individual data processing activity (see the “Documentation of processing” section in the “Main Tools and Actions”, Part II of these Guidelines).
The first stages of the project development are the perfect moment to set up a systematic way of collecting the necessary documentation, since it will be the time when the organization conceives and plans the processing activity[1].
Checklist. Documentation
Additional documentation pertaining to a single processing activity).
|
References
1Article 25(1) of the GDPR calls this “the time of the determination of the means for processing”. ↑