Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.
Data system documentation must include at least:
The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.
GDPR defines the conditions for the lawful transfer of personal data outside the EU or the EEA.
The organization shall document all data transfers and the applicable transfer criteria. Data transfers can occur, for example, based on the location of the data system, the data processing partner or the recipient of the data disclosure.