Bud P. Bruegger (ULD)
The final version of this document was validated by Hans Graux, guest lecturer on ICT and privacy protection law at the Tilburg Institute for Law, Technology, and Society (TILT) and at the AP Hogeschool Antwerpen. President of the Vlaamse Toezichtscommissie (Flemish Supervisory Committee), which supervises data protection compliance within Flemish public sector bodies.
An organization who is processing personal data (including both, controllers and processors) needs to documents its activities primarily for consumption by the competent Data Protection Supervisory Authorities (DPA). This includes the records of processing that is maintained centrally by the organization across all its processing activities and additional documentation that pertains to an individual data processing activity. These are discussed separately in the following. The discussion focusses on the most common case for the intended audience, i.e., that a new processing activity is started within an organization that already has appointed a data protection officer who already keeps records of processing.
1See Art. 30(1) GDPR. ↑
2See Art. 30(2) GDPR. ↑
3See Art. 58(1)(a), 30(4) and 5(2) GDPR. ↑
4See Art. 30 GDPR. ↑