The Core Data-Protection Documents Every GDPR-Bound Organisation Needs

Ask a compliance team what the GDPR demands on paper, and the honest answer is short: the Regulation rarely names a “document” outright, but it imposes obligations that only documentation can satisfy. Seven artefacts do most of the heavy lifting — a privacy notice, a Record of Processing Activities, a controller–processor contract, an impact assessment, a breach procedure, a process for access requests, and a retention policy. Each one ties back to a specific provision of Regulation (EU) 2016/679, and each is something a supervisory authority can ask to see.

The Privacy Notice (Articles 13 and 14)

Transparency is the obligation that touches every data subject, and the privacy notice is how a controller meets it. Articles 13 and 14 distinguish between data collected directly from the individual and data obtained from another source — the disclosure list is broadly similar, but Article 14 adds the source of the data and gives a longer window to inform people.

A compliant notice should set out:

The identity and contact details of the controller, and the Data Protection Officer where one exists.
The purposes of processing and the legal basis under Article 6 (and Article 9 conditions for special-category data).
Where the basis is legitimate interests, the interests pursued.
Recipients or categories of recipients, including processors.
Any transfer outside the EEA and the safeguard relied upon.
The retention period, or the criteria used to set it.
The data subject’s rights — access, rectification, erasure, restriction, portability, objection — and the right to lodge a complaint with a supervisory authority such as the Data Protection Commission or the UK’s ICO.

Language matters as much as content. Article 12 requires the notice to be concise, intelligible and in plain terms, which rules out burying the disclosures in dense legalese.

Records of Processing Activities (Article 30)

Article 30 obliges controllers and processors to maintain a written, internal inventory of their processing — purposes, categories of data subjects and data, recipients, transfers, retention periods and a general description of security measures. Crucially, the ROPA is not published; it is produced to the supervisory authority on request.

The much-cited 250-employee figure deserves care. Organisations with fewer than 250 employees are not automatically exempt. The derogation in Article 30(5) falls away when processing is likely to result in a risk to data subjects’ rights, when it is not occasional, or when it involves special categories of data or criminal-offence data. Most businesses that process customer or staff data on any continuing basis therefore keep records regardless of headcount. Treating “small” as “exempt” is one of the more common misreadings of the Regulation.

The Data Processing Agreement (Article 28)

Whenever a controller hands personal data to a processor, Article 28 requires a contract — and it prescribes much of the wording. The contract must bind the processor to act only on documented instructions, ensure staff are under confidentiality, apply appropriate security under Article 32, assist the controller with data-subject rights and breach obligations, and either delete or return the data at the end of the engagement. The processor must also submit to audits and make available the information needed to demonstrate compliance.

Two clauses cause the most trouble in practice:

Sub-processors. A processor may engage another processor only with the controller’s authorisation, and the same Article 28 obligations must flow down by contract.
International transfers. Where data leaves the EEA, Chapter V applies. Most commercial arrangements rely on the European Commission’s Standard Contractual Clauses, supported by a transfer impact assessment in light of the Schrems II ruling. The UK adds its own International Data Transfer Agreement or the UK Addendum to the EU SCCs.

Drafting one of these from a blank page is rarely worth the risk; a well-structured data processing agreement template gives you the mandatory Article 28 clauses as a baseline to adapt. The point is to start from the statutory requirements, not to discover them after a contract is already signed.

Data Protection Impact Assessment (Article 35)

Some processing is risky enough that the Regulation wants the analysis done before it begins. Article 35 requires a Data Protection Impact Assessment where processing is “likely to result in a high risk” to individuals — and it lists three triggers in particular: systematic and extensive profiling with significant effects, large-scale processing of special-category or criminal-offence data, and systematic monitoring of a publicly accessible area on a large scale. National authorities publish their own lists of operations that mandate a DPIA, and the EDPB’s guidelines set out nine criteria worth weighing.

A sound assessment runs through four stages:

Describe the processing — its nature, scope, context and purposes.
Assess necessity and proportionality against the stated purposes.
Identify and evaluate the risks to data subjects.
Decide on measures to mitigate those risks, recording the residual risk.

Where high risk remains even after mitigation, Article 36 requires prior consultation with the supervisory authority. A DPIA is a living record, not a one-off form — revisit it when the processing changes.

Personal-Data-Breach Notification (Articles 33 and 34)

Breaches are inevitable; the documentation that surrounds them is what regulators judge. Article 33 sets the headline rule: notify the competent supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. Miss the deadline and the notification must explain the delay.

Two thresholds govern the response:

Authority notification (Article 33) is triggered by any risk to rights and freedoms — a relatively low bar.
Individual notification (Article 34) applies only to a high risk, and tells affected people directly so they can protect themselves.

Article 33(5) also requires controllers to log every breach — facts, effects and remedial action — even those that are never reported. That internal register is the first thing many authorities request, so a standing breach procedure with named responders and a decision tree saves precious hours when the clock is already running.

Data Subject Access Requests (Article 15)

The right of access is the most frequently exercised right under the Regulation, and handling it well is a discipline in its own right. Article 15 entitles individuals to confirmation of whether their data is processed, a copy of that data, and supporting information about purposes, recipients, retention and their other rights.

Process essentials to build into a workflow:

Timeline. Respond within one month of receipt. The period may be extended by two further months for complex or numerous requests, provided the individual is told of the extension and the reason within the first month.
Identity verification. Where there is reasonable doubt about the requester’s identity, ask for further information — but only what is proportionate.
Exemptions. A copy must not adversely affect the rights of others, and national law carves out further limits: the UK Data Protection Act 2018 and Ireland’s Data Protection Act 2018 both restrict access in areas such as legal privilege, certain regulatory functions and management forecasts.

Giving staff a structured intake form and response template — for instance a ready-made GDPR data subject access request process — keeps the one-month deadline manageable and prevents accidental over-disclosure.

Data-Retention Policy (Article 5(1)(e))

Storage limitation is a core principle: personal data must be kept in identifiable form no longer than necessary for the purposes of processing. A retention policy turns that principle into an operational schedule — what is held, why, for how long, and what happens at the end. Tie each retention period to a purpose or a statutory obligation (tax, employment, limitation periods), and define deletion or anonymisation as the default endpoint. A documented schedule also feeds directly into the privacy notice and the ROPA, closing the loop between principle and practice.

Build these seven documents as a connected set rather than isolated templates, review them when processing changes, and keep them ready for inspection. Supervisory authorities and the EDPB increasingly judge maturity by the quality of the paperwork — accountability under Article 5(2) means being able to show your reasoning, not merely assert it.

If you require help with a GDPR Compliance, Online Reputation Management, Removing content from Google, or a Right to be Forgotten request, please use the form below. By submitting an enquiry you agree to the gdpreu.org privacy policy.

Latest Posts

Project Governance, Compliance and Data Control in Modern Organizations

Cookie Consent vs UX: Designing Compliant Banners That Convert

5 Important Reasons Why Life Assure Medical Alert Is Must-Have Safety Device

The Evolution of Digital Evidence in DUI and OWI Litigation