The documentation requirement stems from the accountability principle recalled in Article 24 of the GDPR.

In practice, this documentation is primarily reflected in the register of processing activities, but also through other elements of data management and compliance with the GDPR. These may include (but are not limited to) the following elements:

• internal procedures for the creation of a new personal data processing operation (internal control, risk and proportionality assessment, etc.);

• procedure for carrying out PIAs;

• establishment of written and binding data protection policies to be considered and applied to new data processing operations (e.g. compliance with data quality criteria, prior notice, security principles, consultation, etc.), which should be made available to data subjects;

• mapping procedures to ensure that all data processing operations are properly identified and an inventory of data processing operations is maintained;

• setting up training programs for the people in charge of data processing management;

• establishment of procedures for managing requests for access, rectification and deletion and the rights of data subjects;

• setting up an internal complaints management mechanism;

• developing internal procedures for effective data breach management and notification;

• conducting privacy impact assessments in certain circumstances;

• implementation and supervision of verification procedures to ensure that all measures do not only exist on paper, but are also implemented and work in practice (internal or external audits, etc.).

You can also store in this space any document useful for the understanding of the treatment, the training notes as well as the contracts framing the treatment if necessary.