Documentation requirements of the GDPR
Who must implement the GDPR documentation obligations?
In order to comply with the provisions of the GDPR every company must comprehensively document its data protection measures and processing activities. Regardless of how large or small a company is or how many employees it employs.
This sounds at first like an extensive and rather burdensome duty, but in fact it forms the backbone of the data protection organisation. A by no means negligible side effect is that the documentation in connection with the GDPR ensures order. Because in the course of data protection documentation, responsible persons touch the processes of the companies individually and can optimise them in parallel.
Even companies with less than 250 employees must document
However, simply posting a privacy statement on the company's website is not enough, although some company representatives wrongly believe this. Those who do not keep documentation are liable to a fine in the event of an inspection by the supervisory authorities.
Companies often argue that Article 30(5) of the GDPR states that this obligation does not apply to companies or institutions employing fewer than 250 employees. However, the article also states that this is only the case if personal data are processed only occasionally. In practice, however, processing is already considered to be regular if, for example, the data of company employees are processed on computers.
In fact, the GDPR the data controllers with numerous specifications on documentation and accountability obligations. In practice, the preparation of the documentation is usually taken over by the qualified employee in the company, namely the data protection officer. Data protection officers can save a lot of time with software-based documentation.
What role does the data protection organisation play in implementing the documentation obligations of the DSGVO?
The fulfilment of these obligations is hardly possible without an effective data protection organisation. For example, the filing system for contracts must be set up in such a way that necessary documents can be found quickly. In practice, therefore, data protection organisation and complete documentation go hand in hand.
According to Article 5 GDPR, the controller has a duty to ensure that important principles for the processing of personal data are observed. These include earmarking, data minimisation and transparency. They can provide evidence of this with appropriate documentation. According to Article 24 GDPR the data controller must use technical and organisational measures to provide proof that the data processing is in compliance with the GDPR. However, the extent to which the accountability and verification obligations extend in detail is controversial.
What exactly does the data protection documentation cover?
In addition to these general accountability and verification obligations, the GDPR contains many other documentation obligations. Probably the best known is the keeping of a register of processing activities in accordance with Article 30 GDPR. The processing operations must contain the essential details of the processing in question. This includes, inter alia, the purpose of the processing and the categories of data subjects, data and recipients.
Another important area in which the GDPR requires documentation is the preparation of data protection impact assessments. This follows from Recital 90 the GDPR. Afterwards, the assessment serves to prove compliance with the GDPR.
How do supervisory authorities deal with data protection documentation?
According to Article 33 Paragraph 5 GDPR, the person responsible must document violations of the protection of personal data. This is an important basis for the supervisory authority in its examination of whether the notification of the data protection breach has been properly made. Furthermore, with regard to the responsible party's obligation to delete data in accordance with Article 17 GDPR, it is necessary to keep a deletion concept available in which the principles of the deletion routines practiced in the company are laid down.
Another element of documentation is the creation of technical and organizational measures (TOM). They comprise instruments and applications that ensure data security and data protection. These include, for example, control of access, forwarding and availability.
In addition to the threat of fines, non-existent or incomplete documentation can lead to successful claims for damages due to an infringement of the GDPR. Because according to Article 82 III GDPR, the person responsible or processor must provide evidence of lack of fault. The documentation can therefore save the company a lot of money.