Documentation requirements of the GDPR

Who must implement the GDPR documentation obligations?

In order to comply with the provisions of the GDPR every company must comprehensively document its data protection measures and processing activities. Regardless of how large or small a company is or how many employees it employs.

This sounds at first like an extensive and rather burdensome duty, but in fact it forms the backbone of the data protection organisation. A by no means negligible side effect is that the documentation in connection with the GDPR ensures order. Because in the course of data protection documentation, responsible persons touch the processes of the companies individually and can optimise them in parallel.

Do companies with less than 250 employees have to document?

However, simply posting a privacy statement on the company's website is not enough, although some company representatives wrongly believe this. Those who do not keep documentation are liable to a fine in the event of an inspection by the supervisory authorities.

Companies often argue that Article 30(5) of the GDPR states that this obligation does not apply to companies or institutions employing fewer than 250 employees. However, the article also states that this is only the case if personal data are processed only occasionally. In practice, however, processing is already considered to be regular if, for example, the data of company employees are processed on computers.

In fact, the GDPR the data controllers with numerous specifications on documentation and accountability obligations. In practice, the preparation of the documentation is usually taken over by the qualified employee in the company, namely the data protection officer. Data protection officers can save a lot of time with software-based documentation.

What role does the data protection organisation play in implementing the documentation obligations of the DSGVO?

The fulfilment of these obligations is hardly possible without an effective data protection organisation. For example, the filing system for contracts must be set up in such a way that necessary documents can be found quickly. In practice, therefore, data protection organisation and complete documentation go hand in hand.

According to Article 5 GDPR, the controller has a duty to ensure that important principles for the processing of personal data are observed. These include earmarking, data minimisation and transparency. They can provide evidence of this with appropriate documentation. According to Article 24 GDPR the data controller must use technical and organisational measures to provide proof that the data processing is in compliance with the GDPR. However, the extent to which the accountability and verification obligations extend in detail is controversial.

What exactly does the data protection documentation cover?

In addition to these general accountability and verification obligations, the GDPR contains many other documentation obligations. Probably the best known is the keeping of a register of processing activities in accordance with Article 30 GDPR. The processing operations must contain the essential details of the processing in question. This includes, inter alia, the purpose of the processing and the categories of data subjects, data and recipients.

Another important area in which the GDPR requires documentation is the preparation of data protection impact assessments. This follows from Recital 90 the GDPR. Afterwards, the assessment serves to prove compliance with the GDPR.