GDPR Documentation Controller Template

Name and contact details
Name
Address
Email
Telephone
Business function Purpose of processing

Controller
Data Protection Officer (if applicable)
Name
Address
Email
Telephone
Name and contact details of joint Categories of individuals

controller (if applicable)
Representative (if applicable)
Name
Address
Email
Telephone
Article 30 Record of Processing Activities
Categories of personal data Categories of recipients

g Activities
Names of third countries or international

Link to contract with processor organisations that personal data are
transferred to (if applicable)
Safeguards for exceptional transfers of
personal data to third countries or Retention schedule (if possible)
international organisations (if applicable)
General description of technical and Article 6 lawful basis for processing
organisational security measures (if personal data
possible)
Privacy Notices
Article 9 basis for processing special Legitimate interests for the processing (if
category data applicable)
Privacy Notices
Link to record of legitimate interests Rights available to individuals

assessment (if applicable)
Existence of automated decision-making, The source of the personal data (if
including profiling (if applicable) applicable)
Consent Access Requests
Link to record of consent Location of personal data

Data Protection Impact Assessments
Data Protection Impact Assessment Data Protection Impact Assessment

required? progress
ssments Personal Data Breaches
Link to Data Protection Impact Has a personal data breach occurred?

Assessment
Personal Data Breaches Data Pro
Data Protection Bill Schedule 1 Condition

Link to record of personal data breach for processing
Data Protection Bill - Special Category or Criminal Conviction and Offence data
Link to retention and erasure policy

GDPR Article 6 lawful basis for processing document
Conviction and Offence data
Is personal data retained and erased in Reasons for not adhering to policy
accordance with the policy document? document (if applicable)
Name and contact details
Name Example controller
Address Street, city, postcode
Email Email address
Telephone Tel. number
Business function Purpose of processing
Finance Payroll
Finance Payroll
Finance Payroll
Finance Payroll
Human Resources Personnel file
Human Resources Recruitment
Sales Direct marketing

Controller
Data Protection Officer (if applicable)
Name Example DPO
Address Street, city, postcode
Email Email address
Telephone Tel. number
Name and contact details of joint Categories of individuals

controller (if applicable)
N/A Employees
N/A Employees
N/A Employees
N/A Employees
N/A Employees
N/A Employees
N/A Employees
N/A Employees
N/A Employees
N/A Successful candidates
N/A Unsuccessful candidates
N/A Existing customers
N/A Existing customers
N/A Potential customers
N/A Potential customers

Representative (if applicable)
Name N/A
Address N/A
Email N/A
Telephone N/A
Article 30 Record of Processing Activities
Categories of personal data Categories of recipients
Contact details HMRC

Bank details HMRC
Pension details HMRC
Tax details HMRC
Contact details N/A
Pay details N/A
Annual leave details N/A
Sick leave details N/A
Performance details N/A
Contact details Referee
Qualifications N/A
Employment history N/A
Ethnicity N/A
Disability details N/A
Contact details N/A
Qualifications N/A
Employment history N/A
Ethnicity N/A
Disability details N/A
Contact details Processor - marketing co.
Purchase history Processor - marketing co.
Contact details Processor - marketing co.
Lifestyle information Processor - marketing co.

g Activities
Names of third countries or international

Link to contract with processor organisations that personal data are
transferred to (if applicable)
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Link N/A
Link N/A
Link N/A
Link N/A
Safeguards for exceptional transfers of
personal data to third countries or Retention schedule (if possible)
international organisations (if applicable)
N/A 5 years post-employment

N/A 6 months post-campaign
N/A End of customer relationship
N/A End of customer relationship
N/A 1 year post-campaign
N/A 1 year post-campaign

General description of technical and Article 6 lawful basis for processing
organisational security measures (if personal data
possible)
Encrypted storage and transfer Article 6(1)(c) - legal obligation

Encrypted storage Article 6(1)(b) - contract
Encrypted storage, access controls Article 6(1)(b) - contract
Encrypted storage and transfer Article 6(1)(b) - contract
Encrypted storage and transfer Article 6(1)(a) - consent

Privacy Notices
Article 9 basis for processing special Legitimate interests for the processing (if
category data applicable)
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Article 9(2)(b) - employment N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Privacy Notices
Link to record of legitimate interests Rights available to individuals

assessment (if applicable)
N/A Access and rectification

N/A Access, data portability, rectification
Access, data portability, rectification
Access, data portability, rectification,
N/A objection, erasure
Existence of automated decision-making, The source of the personal data (if
including profiling (if applicable) applicable)
No Data subject
No Data subject
No Controller
No Controller
No Data subject
No Controller
No Controller
No Controller
No Controller
Yes Data subject
Yes Data subject
Yes Data subject
No Data subject
No Data subject
Yes Data subject
Yes Data subject
Yes Data subject
No Data subject
No Data subject
Yes Data subject
Yes Data subject
Yes Data broker co.
Yes Data broker co.

Consent Access Requests
Link to record of consent Location of personal data
N/A Finance payroll system

N/A Finance pension system
N/A HR personnel system
N/A HR Recruitment system
Link Sales system, data processor

Data Protection Impact Assessments
Data Protection Impact Assessment Data Protection Impact Assessment

required? progress
No N/A
No N/A
No N/A
No N/A
No N/A
No N/A
No N/A
No N/A
No N/A
Yes Completed
Yes Completed
Yes Completed
No N/A
No N/A
Yes Completed
Yes Completed
Yes Completed
No N/A
No N/A
Yes Completed
Yes Completed
Yes Completed
Yes Completed
ssments Personal Data Breaches
Link to Data Protection Impact Has a personal data breach occurred?

Assessment
N/A No
N/A No
N/A No
N/A No
N/A No
N/A No
N/A No
N/A No
N/A No
Link No
Link No
Link No
N/A No
N/A No
Link No
Link No
Link No
N/A No
N/A No
Link No
Link No
Link No
Link No
Personal Data Breaches Data Protecti
Data Protection Bill Schedule Condition

Link to record of personal data breach for processing
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A Sch.1, Pt.1, 1 - Employment
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Data Protection Bill - Special Category or Criminal Conviction and Offence data
Link to retention and erasure policy

GDPR Article 6 lawful basis for processing document
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Article 6(1)(b) - contract Link
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Conviction and Offence data
Is personal data retained and erased in Reasons for not adhering to policy
accordance with the policy document? document (if applicable)
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Yes N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Yes N/A
Yes N/A
N/A N/A
N/A N/A
N/A N/A
Yes N/A
Yes N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Notes
Use this template to document the processing activities you undertake
as a controller.
Headings highlighted green are required areas of documentation under

Article 30 of the GDPR or Schedule 1 of the Data Protection Bill.
Headings highlighted blue are optional areas of documentation that are

not required under Article 30 of the GDPR or Schedule 1 of the Data
Protection Bill.
Instructions
1. Complete your organisation’s name and contact details in cells B3-
B6.
2. Complete your data protection officer’s name and contact details (if
applicable) in cells D3-D6.
3. Complete your representative’s name and contact details (if
applicable) in cells F3-F6.
4. Document your organisation’s processing activities, starting in cell

A10, and working from left to right. Where necessary use multiple rows
for each processing activity in order to be as granular as possible (see
example tab).
Guidance
For more detailed guidance on documentation, please see the Guide to
GDPR on our website.

GDPR Documentation Controller Template

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

GDPR Documentation Controller Template

Caricato da

Copyright:

Formati disponibili

Name and contact details

Business function Purpose of processing

Name and contact details of joint Categories of individuals

Article 30 Record of Processing Activities

Categories of personal data Categories of recipients

Names of third countries or international

Link to record of legitimate interests Rights available to individuals

Link to record of consent Location of personal data

Data Protection Impact Assessment Data Protection Impact Assessment

Link to Data Protection Impact Has a personal data breach occurred?

Data Protection Bill Schedule 1 Condition

Link to retention and erasure policy

Business function Purpose of processing

Sales Direct marketing

Sales Direct marketing

Sales Direct marketing

Sales Direct marketing

Name and contact details of joint Categories of individuals

N/A Existing customers

N/A Existing customers

N/A Potential customers

N/A Potential customers

Article 30 Record of Processing Activities

Categories of personal data Categories of recipients

Contact details HMRC

Contact details Processor - marketing co.

Purchase history Processor - marketing co.

Contact details Processor - marketing co.

Lifestyle information Processor - marketing co.

Names of third countries or international

N/A 5 years post-employment

N/A End of customer relationship

N/A End of customer relationship

N/A 1 year post-campaign

N/A 1 year post-campaign

Encrypted storage and transfer Article 6(1)(c) - legal obligation

Encrypted storage and transfer Article 6(1)(a) - consent

Encrypted storage and transfer Article 6(1)(a) - consent

Encrypted storage and transfer Article 6(1)(a) - consent

Encrypted storage and transfer Article 6(1)(a) - consent

Link to record of legitimate interests Rights available to individuals

N/A Access and rectification

Yes Data subject

Yes Data subject

Yes Data broker co.

Yes Data broker co.

Link to record of consent Location of personal data

N/A Finance payroll system

Link Sales system, data processor

Link Sales system, data processor

Link Sales system, data processor

Link Sales system, data processor

Data Protection Impact Assessment Data Protection Impact Assessment

Link to Data Protection Impact Has a personal data breach occurred?

Data Protection Bill Schedule Condition

Link to retention and erasure policy

Headings highlighted green are required areas of documentation under

Headings highlighted blue are optional areas of documentation that are

4. Document your organisation’s processing activities, starting in cell

Potrebbero piacerti anche