List of mandatory documents required by EU GDPR

The General Data Protection Regulation (GDPR) has already raised many controversies, and one of the biggest ones is certainly which documents are required. For example, often you see companies who think having a privacy policy and a consent form on their website is enough; however, this is only a small part of the documents that are required to be fully compliant with this new privacy regulation.

Therefore, we created a list of GDPR documentation requirements to help you find all mandatory documents at one place . Please note that the names of the documents are not prescribed by the GDPR, so you may use some other titles; you also have a possibility to merge some of these documents.

Mandatory documents required by EU GDPR:
  1. Personal Data Protection Policy
  2. Privacy Notice
  3. Employee Privacy Notice
  4. Data Retention Policy
  5. Data Retention Schedule
  6. Data Subject Consent Form
  7. Parental Consent Form
  8. DPIA Register
  9. Supplier Data Processing Agreement
  10. Data Breach Response and Notification Procedure
  11. Data Breach Register
  12. Data Breach Notification Form to the Supervisory Authority
  13. Data Breach Notification Form to Data Subjects

Mandatory documents and records required by EU GDPR

Here are the documents that you must have if you want to be fully GDPR compliant:

 

GDPR documentation requirements: Policies and procedures

Documents that are needed under certain conditions

You’ll need the following documents if the following conditions apply:

  • Data Protection Officer Job Description (Articles 37, 38, and 39) – you’ll need to have a Data Protection Officer (DPO) if (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or (b) the core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities process on a large scale special categories of data and personal data relating to criminal convictions and offences. Learn what the DPO must do in this free online training: GDPR Data Protection Officer Course.
  • Inventory of Processing Activities (Article 30) – this document is mandatory if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data; or (e) the processing includes personal data relating to criminal convictions and offences.
  • Standard Contractual Clauses for the Transfer of Personal Data to Controllers (Article 46) – mandatory if you are transferring personal data to a controller outside the European Economic Area (EEA) and you are relying on model clauses as your lawful grounds for cross-border data transfers.
  • Standard Contractual Clauses for the Transfer of Personal Data to Processors (Article 46) – mandatory if you are transferring personal data to a processor outside the EEA and you are relying on model clauses as your lawful grounds for cross-border data transfers.

Non-mandatory documents

Here are the documents that are not required by the GDPR. However, you might find these kinds of documents quite useful if you want to maintain your compliance without worries:

Here you can download a free preview of the EU GDPR Premium Documentation Toolkit, where you can see the structure and part of the text for each of the above-mentioned documents.

Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic