Additional documentation pertaining to a single processing activity
Home » The GDPR » Main Tools and Actions » Documentation of processing personal data » Additional documentation pertaining to a single processing activity

In addition to the records of processing that are managed centrally in the organization, the person(s) responsible for a specific processing activity has to maintain additional documentation. For this purpose, it is good practice to set up a systematic way of collecting the necessary documentation starting from the time when you conceive and plan your possessing activity[1]. This kind of information can be asked for by Data Protection Supervisory Authorities either remotely[2] or during on-premise audits[3]. The necessary action is described in the following DOs:

DOs

  • Data protection (like security) is a process, not a final state. Continuously document that process rather than only the final characteristics of the processing activity.
  • When applying data protection by design[4], the processing activity can be seen as the results of a series of many considerations and decisions. It is these considerations and decisions that should be documented.
  • Deciding on a structure and format to systematically collect this information at the point of time when you conceive your processing activity.
  • Where the documentation itself contains personal information (see below), make sure to protect is sufficiently and limit its further use to the purpose of demonstrating compliance with the GDPR.

This documentation encompasses at least the following that is first listed in a checklist and then described in more detail thereafter.

Assessment whether the processing activity likely results in a high risk to the rights and freedoms of natural persons

In order to determine whether a Data Protection Impact Assessment (DPIA) is required for a processing activity, an assessment has to be made whether the processing likely results in a high risk. This was described in the section “In what cases must I carry out a DPIA” in “Data Protection Impact Assessment” above. It is based on guidelines by the Article 29 Working party and consists of the Boolean evaluation of nine criteria. It is important to document this particularly as a justification for the case where a DPIA is unnecessary (see “DPIA” in the “Main Tools and Actions” Section of the General Part of these Guidelines).

A Data Protection Impact Assessment where the above assessment yields an affirmative result

Where a DPIA is necessary, the DPIA itself is part of the documentation of processing. See Art. 35 GDPR and Data Protection Impact Assessment above for detail.

Potential consultation of the competent supervisory authority prior to processing

Where the DPIA indicates that the processing would resul”t in a high risk even after mitigation with appropriate technical and organizational measures, the controller shall consult the supervisory authority prior to processing (see Art. 36(1) GDPR). Such consultation must be documented.

Requirements and acceptance tests for the purchase and/or development of the employed software, hardware, and infrastructure

According to Art. 25 GDPR, when determining the means of processing, a controller has to take the following into account:

  • The state of the art,
  • the cost of implementation,
  • the nature, scope, context and purposes of processing, and
  • the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.

Based on this evaluation, the controller implements appropriate technical and organizational measures which are designed to implement data-protection principles, to meet the requirements of the GDPR and to protect the rights of data subjects.

This evaluation and the decisions taken have to be documented in order to comply with the requirement of data protection by design (of Art. 25 GDPR). Practically, this can take the form of:

  • Data protection requirements specified for the purchase (e.g., a tender) or development of software, hardware and infrastructure,
  • acceptance tests that verify that the chosen software, systems and infrastructure are fit for purpose and provide adequate protection and safeguards.

Such documentation can be an integral part of the DPIA.

Implemented technical and organizational measures

The documentation shall also comprise the technical and organizational measures that are implemented to mitigate the data protection risks and safeguard the rights and freedoms of data subjects.

The security measures are also part of the records of processing (see Art. 30(1)(g) GDPR); all implemented measures are part of the DPIA (see Art. 35(7)(d) GDPR).

Regular testing, assessing and evaluating the effectiveness of technical and organizational measures

The GDPR emphasizes data protection as a process. This is evident in Art. 32(1)(d) that requires regular testing, assessing and evaluating the effectiveness of technical and organizational measures, and Art. 35(11) that requires the controller to carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations. Such recurring testing, assessing and evaluating shall be documented.

Requirements and acceptance tests for the selection of processors

According to Art. 28(1) GDPR, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures. This requires a selection process that shall be documented.

Contracts stipulated with processors

According to Art. 28(3) GDPR, the processing by a processor shall be governed by a contract that requires among others the implementation of appropriate measures and safeguards (see points d and e) and the right for inspection and audit by the controller (see point h). Such contacts are part of the documentation.

Possible inspections and audits of the processor

When a controller inspects or audits a processor according to Art. 28(3)(h), the actions taken and the outcome shall be documented.

Method to collect consent

Valid consent requires the fulfilment of stringent requirements (see Art. 4(11) and 7 GDPR). Where a controller chooses consent as a legal basis for (part of the) processing, the way (e.g., dialog) in which the consent was collected must be documented in order to demonstrate that the requirements were satisfied. Where dialogs change over time, a versioning that records the time of change is necessary.

Demonstrations of individual expressions of consent

According to Art. 7(1), the controller shall be able to demonstrate that the data subjects have consented to processing of their personal data. This requirement is discussed in more detail by the EDPB in their Guidelines 05/2020 on consent under Regulation 2016/679[5]. One possible way to demonstrate consent that they describe is to “retain information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information that was presented to the data subject at that time.”[6]

This illustrates that documentation in support of being able to demonstrate consent itself must be considered personal data. It must therefore be adequately protected and its use limited to the purpose of such demonstration.

Information provided to data subjects

Art. 13 and 14 GDPR require the controller to provide adequate information about the processing to data subjects. To demonstrate compliance, the information actually provided shall be documented. Again, a versioning is necessary if the provided information changes over time.

Implementation of data subject rights

Articles 15 through 22 mandate the controller to grant data subjects specific right (as for example the right to rectification of inaccurate data, or the right “to be forgotten”) (see “Data Subject Rights” in the General Part of these Guidelines). In addition, when processing is based on consent, data subjects have the right to withdraw consent at any time (see Art. 7(3) GDPR). To demonstrate compliance, it is necessary to document how these rights are implemented[7]. Again, versioning may be necessary.

Actual handling of data subject rights

When data subjects invoke their rights, they shall be processed by the controller without delay. Art. 12(3) and (4) specify maximal acceptable response times. In order to demonstrate correctness and timeliness of the actions taken and response sent, a documentation is necessary. Again, this documentation constitutes personal data and has to be adequately protected.

Possible breach notifications to the competent supervisory authority

Art. 33 GDPR requires notification of a personal data breach to the supervisory authority. Such notifications shall become part of the documentation.

Possible communication of data breaches to concerned data subject

Art 34 GDPR requires communication of a personal data breach to the data subject under certain conditions. Such communications shall be documented. They likely contain personal data that need protection.

Any other communication with the competent supervisory authority

Any communication with a supervisory authority should be documented. Such communication can for example be initiated by the supervisory authority according to Art. 31 GDPR. Communication initiated by the controller according to Art. 36 was already listed above. In addition, data protection officers can also consult supervisory authorities according to Art. 39(1)(e).

Checklist (additional documentation pertaining to a single processing activity)

The following items must be documented:

  • Assessment whether the processing activity likely results in a high risk to the rights and freedoms of natural persons.
  • A Data Protection Impact Assessment where the above assessment yields an affirmative result.
  • Potential consultation of the competent supervisory authority prior to processing.
  • Requirements and acceptance tests for the purchase and/or development of the employed software, hardware, and infrastructure.
  • Implemented technical and organizational measures.
  • Regular testing, assessing and evaluating the effectiveness of technical and organisational measures
  • Requirements and acceptance tests for the selection of processors.
  • Contracts stipulated with processors.
  • Possible inspections and audits of the processor.
  • Method to collect consent.
  • Demonstrations of individual expressions of consent.
  • Information provided to data subjects.
  • Implementation of data subject rights.
  • Actual handling of data subject rights.
  • Possible breach notifications to the competent supervisory authority.
  • Possible communication of data breaches to concerned data subject.
  • Any other communication with the competent supervisory authority.

 

 

References

1Art. 25(1) GDPR calls this “the time of the determination of the means for processing”.

2See Art 58(1)(a) GDPR.

3See Art 58(1)(b) GDPR.

4See Art. 25 GDPR.

5Section 5.1, pages 21 and 22 in EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, Version 1.0, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf (last visited 11/05/2020).

6See at the end of paragraph 108.

7The term “implemented” is not intended to imply automation; manual processing, for example by the data protection officer or another designated person, can be perfectly acceptable.

Skip to content