Documentation of personal data processing purposes for data stores

Critical
High
Normal
Low

Processing of personal data is only lawful if one of the legal bases set out in the General Data Protection Regulation is met. The organization must be able to communicate the purpose of the processing and the legal basis to the data subject and, where appropriate, to the supervisory authority.

The documentation shall include at least:

  • the legal basis for the processing and the necessary additional information
  • the parties to whom the processing has been outsourced
  • related data sets
Connected other frameworks and requirements:
6. Lawfulness of processing
GDPR
18.1.4: Privacy and protection of personally identifiable information
30. Records of processing activities
GDPR
A.7.2.2: Identify lawful basis
ISO 27701
A.7.2.8: Records related to processing PII
ISO 27701

Reviewing the execution of data minimisation

Critical
High
Normal
Low

The organization should limit the collection of personal data to the minimum level that is essential and necessary for the purpose of processing the personal data collected.

The realization of the principle should be ensured regularly from the point of view of all processing by comparing the documentation of the management system (e.g. the purposes of use of the data) with the personal data held by the organization in practice.

Connected other frameworks and requirements:
A.7.4.1: Limit collection
ISO 27701
No items found.