Training - Data Protection Process Documentation

Records of processing activities under Article

30 GDPR must contain: the name and contact details of the controller, the purpose of each processing operation, categories of data subjects and personal data, recipients of the data, transfers to third countries, envisaged deletion periods, and a general description of technical and organisational measures (TOMs). The records must be maintained in writing, though electronic format is permitted. They must be made available to the supervisory authority in full upon request.

In principle, every company and public body is required to maintain records of processing activities. The exception under Article 30(5) GDPR for organisations with fewer than

250 employees rarely applies in practice, as it only holds when the processing poses no risk to data subjects, occurs only occasionally, and does not involve special categories of data. Since virtually every organisation regularly processes employee data, the documentation obligation effectively applies to all.

Beyond the records of processing activities under Article

30 GDPR, further documentation obligations include: data protection impact assessments (DPIAs) under Article

35 GDPR for high-risk processing, documentation of technical and organisational measures (TOMs) under Article

32 GDPR, data processing agreements under Article

28 GDPR, documentation of data breaches under Article

33 GDPR, proof of consent under Article

7 GDPR, and documentation of data subject rights processes. All records serve the accountability principle under Article 5(2) GDPR.

Creating records of processing activities involves these steps: first, identify all departments and business processes where personal data is processed. Then compile the mandatory information under Article

30 GDPR for each process: processing purpose, data categories, categories of data subjects, recipients, deletion periods, and TOMs. Document the information in a structured template. Finally, have the records reviewed by the relevant departments and establish a regular update process.

The GDPR does not prescribe a fixed update interval but requires that records of processing activities reflect the current state of data processing. In practice, supervisory authorities recommend a review at least once a year, as well as event-driven updates when new processing activities are introduced, changes are made to existing processes, new software or service providers are adopted, or organisational restructuring takes place. A fixed review process with assigned responsibilities ensures the records stay current.

Missing or incomplete documentation can be sanctioned under Article 83(4) GDPR with fines of up to EUR

10 million or 2% of worldwide annual turnover. This applies in particular to missing records of processing activities, inadequate TOM documentation, and insufficient evidence of accountability. Supervisory authorities regularly review documentation in response to complaints, data breach notifications, and proactive inspections. In addition to fines, orders to restrict data processing may be imposed.

The ADVISORI training on data protection process documentation covers: analysis of existing documentation structures and identification of gaps, creation of GDPR-compliant records of processing activities under Article 30, documentation of technical and organisational measures, development of templates and checklists for daily work, practical exercises based on real-world scenarios, and integration of documentation into existing compliance workflows. Participants receive ready-to-use templates that can be deployed directly in their organisation.