In addition to the records of processing that are managed centrally in the organization, the person(s) responsible for a specific processing activity has to maintain additional documentation. For this purpose, it is good practice to set up a systematic way of collecting the necessary documentation starting from the time when you conceive and plan your possessing activity. This kind of information can be asked for by Data Protection Supervisory Authorities either remotely or during on-premise audits. The necessary action is described in the following DOs:
This documentation encompasses at least the following that is first listed in a checklist and then described in more detail thereafter.
Assessment whether the processing activity likely results in a high risk to the rights and freedoms of natural persons
In order to determine whether a Data Protection Impact Assessment (DPIA) is required for a processing activity, an assessment has to be made whether the processing likely results in a high risk. This was described in the section “In what cases must I carry out a DPIA” in “Data Protection Impact Assessment” above. It is based on guidelines by the Article 29 Working party and consists of the Boolean evaluation of nine criteria. It is important to document this particularly as a justification for the case where a DPIA is unnecessary (see “DPIA” in the “Main Tools and Actions” Section of the General Part of these Guidelines).
A Data Protection Impact Assessment where the above assessment yields an affirmative result
Where a DPIA is necessary, the DPIA itself is part of the documentation of processing. See Art. 35 GDPR and Data Protection Impact Assessment above for detail.
Potential consultation of the competent supervisory authority prior to processing
Where the DPIA indicates that the processing would resul”t in a high risk even after mitigation with appropriate technical and organizational measures, the controller shall consult the supervisory authority prior to processing (see Art. 36(1) GDPR). Such consultation must be documented.
Requirements and acceptance tests for the purchase and/or development of the employed software, hardware, and infrastructure
According to Art. 25 GDPR, when determining the means of processing, a controller has to take the following into account:
- The state of the art,
- the cost of implementation,
- the nature, scope, context and purposes of processing, and
- the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
Based on this evaluation, the controller implements appropriate technical and organizational measures which are designed to implement data-protection principles, to meet the requirements of the GDPR and to protect the rights of data subjects.
This evaluation and the decisions taken have to be documented in order to comply with the requirement of data protection by design (of Art. 25 GDPR). Practically, this can take the form of:
- Data protection requirements specified for the purchase (e.g., a tender) or development of software, hardware and infrastructure,
- acceptance tests that verify that the chosen software, systems and infrastructure are fit for purpose and provide adequate protection and safeguards.
Such documentation can be an integral part of the DPIA.
Implemented technical and organizational measures
The documentation shall also comprise the technical and organizational measures that are implemented to mitigate the data protection risks and safeguard the rights and freedoms of data subjects.
The security measures are also part of the records of processing (see Art. 30(1)(g) GDPR); all implemented measures are part of the DPIA (see Art. 35(7)(d) GDPR).
Regular testing, assessing and evaluating the effectiveness of technical and organizational measures
The GDPR emphasizes data protection as a process. This is evident in Art. 32(1)(d) that requires regular testing, assessing and evaluating the effectiveness of technical and organizational measures, and Art. 35(11) that requires the controller to carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations. Such recurring testing, assessing and evaluating shall be documented.
Requirements and acceptance tests for the selection of processors
According to Art. 28(1) GDPR, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures. This requires a selection process that shall be documented.
Contracts stipulated with processors
According to Art. 28(3) GDPR, the processing by a processor shall be governed by a contract that requires among others the implementation of appropriate measures and safeguards (see points d and e) and the right for inspection and audit by the controller (see point h). Such contacts are part of the documentation.
Possible inspections and audits of the processor
When a controller inspects or audits a processor according to Art. 28(3)(h), the actions taken and the outcome shall be documented.
Method to collect consent
Valid consent requires the fulfilment of stringent requirements (see Art. 4(11) and 7 GDPR). Where a controller chooses consent as a legal basis for (part of the) processing, the way (e.g., dialog) in which the consent was collected must be documented in order to demonstrate that the requirements were satisfied. Where dialogs change over time, a versioning that records the time of change is necessary.
Demonstrations of individual expressions of consent
According to Art. 7(1), the controller shall be able to demonstrate that the data subjects have consented to processing of their personal data. This requirement is discussed in more detail by the EDPB in their Guidelines 05/2020 on consent under Regulation 2016/679. One possible way to demonstrate consent that they describe is to “retain information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information that was presented to the data subject at that time.”
This illustrates that documentation in support of being able to demonstrate consent itself must be considered personal data. It must therefore be adequately protected and its use limited to the purpose of such demonstration.
Information provided to data subjects
Art. 13 and 14 GDPR require the controller to provide adequate information about the processing to data subjects. To demonstrate compliance, the information actually provided shall be documented. Again, a versioning is necessary if the provided information changes over time.
Implementation of data subject rights
Articles 15 through 22 mandate the controller to grant data subjects specific right (as for example the right to rectification of inaccurate data, or the right “to be forgotten”) (see “Data Subject Rights” in the General Part of these Guidelines). In addition, when processing is based on consent, data subjects have the right to withdraw consent at any time (see Art. 7(3) GDPR). To demonstrate compliance, it is necessary to document how these rights are implemented. Again, versioning may be necessary.
Actual handling of data subject rights
When data subjects invoke their rights, they shall be processed by the controller without delay. Art. 12(3) and (4) specify maximal acceptable response times. In order to demonstrate correctness and timeliness of the actions taken and response sent, a documentation is necessary. Again, this documentation constitutes personal data and has to be adequately protected.
Possible breach notifications to the competent supervisory authority
Art. 33 GDPR requires notification of a personal data breach to the supervisory authority. Such notifications shall become part of the documentation.
Possible communication of data breaches to concerned data subject
Art 34 GDPR requires communication of a personal data breach to the data subject under certain conditions. Such communications shall be documented. They likely contain personal data that need protection.
Any other communication with the competent supervisory authority
Any communication with a supervisory authority should be documented. Such communication can for example be initiated by the supervisory authority according to Art. 31 GDPR. Communication initiated by the controller according to Art. 36 was already listed above. In addition, data protection officers can also consult supervisory authorities according to Art. 39(1)(e).
|Checklist (additional documentation pertaining to a single processing activity)
The following items must be documented:
1Art. 25(1) GDPR calls this “the time of the determination of the means for processing”. ↑
2See Art 58(1)(a) GDPR. ↑
3See Art 58(1)(b) GDPR. ↑
4See Art. 25 GDPR. ↑
5Section 5.1, pages 21 and 22 in EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, Version 1.0, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf (last visited 11/05/2020). ↑
6See at the end of paragraph 108. ↑
7The term “implemented” is not intended to imply automation; manual processing, for example by the data protection officer or another designated person, can be perfectly acceptable. ↑