Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.

Data store documentation must include at least:

• Connected responsibilities
• Data processing purposes (covered in a separate task)
• Data sets included in the data store (covered in a separate task)
• Data disclosures (covered in a separate task)
• When necessary, data stores connections to action processes

The organization shall maintain a list of data sets contained in the data stores it manages.

The documentation shall include at least the following information:

• Data systems and other means used to process the data sets
• Key categories of data in the data set (and whether it contains personal data)
• Data retention period (discussed in more detail in a separate task)
• Information on archiving / disposal of data (discussed in more detail in a separate task)

Processing of personal data is only lawful if one of the legal bases set out in the General Data Protection Regulation is met. The organization must be able to communicate the purpose of the processing and the legal basis to the data subject and, where appropriate, to the supervisory authority.

The documentation shall include at least:

• the legal basis for the processing and the necessary additional information
• the parties to whom the processing has been outsourced
• related data sets

One of the legal grounds for lawful processing of personal data is the implementation of the data controller or a third party's legitimate interests. To determine when a legitimate interest is justified, a so-called balance test is done to weigh controller or a third party interest against the basic rights of the data subject.

When our processing based on a legitimate interest, we document the implementation of the balancing test and its results so that, if necessary, we can demonstrate that our operations comply with GDPR.

GDPR defines six main legal bases for the lawful processing of personal data. In addition, more strict requirements apply to processing of special groups of personal data. The legal basis must also be communicated to the data subjects in privacy communication. However, not all legal bases adapt to all situations and the application of certain legal bases imposes additional requirements on the controller.

The Data Protection Officer (or other responsible person) helps to develop the lawfulness of the processing by assessing the legal bases for the different purposes in cooperation with the units carrying out the processing and on the basis of data protection communications.