GDPR Documentation System
The Regulation changes the axe for the legitimacy of the processing of personal data, moving it from the so-called legitimacy requirements1 to the compliance data protection system and the direct attribution of responsibility to the data controller.
In summary, the Regulation stipulates that compliance with the obligations of the data controller – for whose satisfaction he is therefore responsible and he is required to demonstrate it – can be expressed as follows:
• through a documentation system consisting in the maintenance of the record of processing activities, descriptive of the processing carried out under its own responsibility (Article 30) and further compulsory documentation
• the adoption of appropriate policies (Article 24) and compliance assessments with regard to processing and effectiveness assessments concerning the data protection measures implemented
• adherence to approved Code of Conducts (Articles 24.3, 28.5, 32.3)
• the use of a certification mechanism (Articles 24.3, 25.3, 28.5, 32.3).
Therefore, documentation requirements, assessments and compliance with codes of conduct and data protection certification systems are tools to demonstrate compliance of the company with legal requirements.
Records of Processing
The obligation of documentation has its core in the register of processing (Article 30).
Specifically, the document must contain the following information:
• contact data of the Data Controller, eventual joint-controllers, national representatives and data protection officer [art. 30.1, lett. a)];
• purpose of the processing [art. 30.1, lett. b)]
• categories of data subjects and the categories of data referred to them [art. 30.1, lett. c)]
• categories of recipients to whom data are transmitted (including recipients in third countries) [art. 30.1, ch. d)]
• third countries to which personal data and related processing operations are transmitted together with the documentation of the appropriate security measures when the transfer is based on the legitimate interests of the data controller [art. 30.1, lett. e)]
• where possible, retention periods for the different categories of data used [art. 30.1, lett. f)]
• where possible, a general description of the adopted technical and organizational security measures [art. 30.1, lett. g)].
This documentation, which should also be prepared by the Processor (Article 30.2), must be submitted to the National Supervisory Authority, upon request (Article 30.4).
Supporting Documentation
The system documentation is completed by the following “supporting documentation”, for which GDPR requires the conservation and management:
• Documentation on the relationship between “joint-controllers” (Article 26)
• Contractual determination of the relationship between Controller and Processor and related obligations (Article 28.3)
• Violation of Personal Data, i.e. data breaches (Article 33.5)
• Appropriate assessments and guarantees regarding foreign data transfers based on the legitimate interest pursued by Controller or Processor (Article 49.6)1.
1. In a version of the proposed Regulation prior to that published on 21/1/2012, supporting documentation for foreign data transfers was also required, based on standard data protection clauses or binding corporate rules (Article 39.3).
Abolition Obligation Notification
The obligation to maintain the system documentation under the responsibility of the data controller replaces the previous obligation to notify the Authority laid down in the Directive 1.
1. See Section IX, Articles 18 and subsequents, Dir. 95/46/EC.
Sanction for Violation of Documentation
The vioaltion of obligations regarding proper management and retention:
• of the register of processing activities
• of supporting documentation regarding any breaches of personal data and assessments of foreign data transfers made on the basis of the legitimate interest of the Controller
is sanctioned with administrative fines of «up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher» (art. 83.4).