The documentation of processing activities means that the company records which personal data it processes and for what purpose. Certain legally defined circumstances of the processing must also be documented, such as the storage period and the protective measures taken for the processing.
A key question of the documentation obligation is when data processing is involved.
In addition, the question arises as to how exactly processing is to be documented in the legal sense. When defining this, the controller should not be guided by the processing itself, but by its telos. Wherever there is a process with its own purpose, there is data processing. The purpose must be formulated in sufficiently concrete terms. A purpose should also not be equated with a process-related category (such as “creation of...” or “use of...”).
The relevant provision for the documentation of processing activities is Art. 30 GDPR.
The first paragraph lists the categories of data that the controller must document. If a processor is involved in the documentation, the processor must document the data categories specified in paragraph 2.
A company that processes data not only as a controller but also as a processor must keep two types of documentation accordingly.
ᐅ Find out which other privacy clusters have to be considered with respect to European data protection law.
