The documentation of personal data is one of the most controversial data protection issues. This page gives you an overview and answers important questions:
Intro: What are the most important facts about documentation?
Requirements: What does the law say about documentation?
Duties: What specific measures need to be implemented when it comes to documentation?
The documentation of processing activities means that the company records which personal data it processes and for what purpose. Certain legally defined circumstances of the processing must also be documented, such as the storage period and the protective measures taken for the processing.
A key question of the documentation obligation is when data processing is involved.
In addition, the question arises as to how exactly processing is to be documented in the legal sense. When defining this, the controller should not be guided by the processing itself, but by its telos. Wherever there is a process with its own purpose, there is data processing. The purpose must be formulated in sufficiently concrete terms. A purpose should also not be equated with a process-related category (such as “creation of...” or “use of...”).
The relevant provision for the documentation of processing activities is Art. 30 GDPR.
The first paragraph lists the categories of data that the controller must document. If a processor is involved in the documentation, the processor must document the data categories specified in paragraph 2.
A company that processes data not only as a controller but also as a processor must keep two types of documentation accordingly.
ᐅ Find out which other privacy clusters have to be considered with respect to European data protection law.
familiar with the characteristics of small and large companies
experienced in communicating with data protection authorities
active in data protection for over 10 years.
