Professional Documents
Culture Documents
GDPR Compliance - Documents and Records
GDPR Compliance - Documents and Records
1.5, 27.11.2023
GDPR Documents
CHAPTER I General provisions
Article 1 Subject-matter and objectives [1] Data Protection Policy
Article 2 Material scope [2] Data Protection Framework
Article 3 Territorial scope (+scope and interested parties)
Article 4 Definitions [35] Data Protection Risk Register
(enterprise level)
[39] List of requirements
CHAPTER II Principles
Article 5 - Principles relating to processing of personal data [1] Data Protection Policy
Article 6 - Lawfulness of processing [2] Data Protection Framework
Article 7 - Conditions for consent [3] GDPR Gap Assessment and
Article 8 - Conditions applicable to child's consent in relation to Audit Reports
information society services [4] Executive Support Letter /
Article 9 - Processing of special categories of personal data Order
Article 10 - Processing of personal data relating to criminal [5] Personal Data Register
convictions and offences (with categories of data subjects)
Article 11 - Processing which does not require identification [6] Third Party Register
[7] Consent form (templates) +
register
CHAPTER III - Rights of the data subject
Section 1 - Transparency and modalities [8] Privacy Notice (for web/app) +
Article 12 - Transparent information, communication and modalities register
for the exercise of the rights of the data subject [9] Cookie Policy + Cookie Banner
Section 2 - Information and access to personal data [10] Employee Privacy Notice
Article 13 - Information to be provided where personal data are [11] Response procedure to data
collected from the data subject subjects
Article 14 - Information to be provided where personal data have not [12] Data Subject Request Forms
been obtained from the data subject [13] Data Subject Request Register
Article 15 - Right of access by the data subject [14] Data Retention Policy
Section 3 Rectification and erasure
Article 16 - Right to rectification
Article 17 - Right to erasure ('right to be forgotten')
Article 18 - Right to restriction of processing
Article 19 - Notification obligation regarding rectification or erasure of
personal data or restriction of processing
Article 20 - Right to data portability
Section 4 - Right to object and automated individual
decision-making
Article 21 - Right to object
Article 22 - Automated individual decision-making, including profiling
Section 5 - Restrictions
Article 23 – Restrictions
[1] Data Protection Policy [19] Information Security and Data Protection
[2] Data Protection Framework Awareness Trainings (records and materials)
(+scope and interested parties) [20] Data Breach Response and Notification Procedure
[3] GDPR Gap Assessment and Audit Reports [21] Data Breach Notification form to the Supervisory
[4] Executive Support Letter / Order Authority
[5] Personal Data Register (with categories of [22] Data Breach Notification form to the Data
data subjects) Subjects
[6] Third Party Register [23] Data Breach Register
[7] Consent form (templates) + register [24] Data Protection Impact Assessment (DPIA)
Procedure and Methodology
[8] Privacy Notice (for web/app) + register
[25] Data Protection Impact Assessment Reports
[9] Cookie Policy and Cookie Banner
[26] Job Description (DPO/DPM) / Contract
[10] Employee Privacy Notice
[27] Order on Creating the Privacy Committee + MoMs
[11] Response procedure to data subjects
[28] Management Review Reports
[12] Data Subject Request Forms
[29] Codes of conduct (if applicable)
[13] Data Subject Request Register
[30] Statement of Applicability (ISO 27001 / ISO
[14] Data Retention Policy
27701, if applicable)
[15] Data Processing Agreement (DPAs) /
[31] Binding corporate rules (if applicable)
Standard Contractual Clauses (SCC)
[32] Standard Contractual Clauses (SCC) for the
[16] Records of Processing Activities
Transfer of Personal Data (if applicable)
(Personal Data Register, Third Party
Register, etc) [33] Information Asset Register
[17] Requests and Responses by the Supervisory [34] Information Security Risk Register
Authority [35] Data Protection Risk Register (enterprise level)
[18] Information Security Policy and other [36] Data Transfer Policy
ISMS Documents (set) [37] Data Transfer Impact Assessment (methodology
and reports)
[38] List of fines (country and industry)
[39] List of requirements