GDPR Documentation Requirements: Checklist of Documents Required by EU GDPR



If you're involved in data processing or handle personal data in the EU, you're likely familiar with the term GDPR. GDPR stands for General Data Protection Regulation. It's a legal framework that aims to protect data and privacy. This framework is applicable within the European Union and the European Economic Area. But knowing GDPR is one thing; implementing its comprehensive requirements is another. This is where GDPR documentation comes into play.
GDPR documentation serves as concrete proof of your compliance journey. It's not a formality but a crucial element that can safeguard your business in the event of audits or data breaches. Documentation ensures that you're not just claiming compliance; you're demonstrating it. This is essential for all companies, big or small, that process EU citizens' data.
On this page, we aim to provide you with a comprehensive list of all mandatory documents required for GDPR compliance. We'll also offer a GDPR documentation checklist to ensure you've got all your bases covered. But we won't stop there. To give you a comprehensive view, we'll go beyond the basics. We'll discuss extra documentation that's not mandatory but can be very helpful. These documents can improve your efforts to be GDPR-compliant.
Whether you're new to GDPR or looking to update your existing documentation, this guide aims to be your one-stop resource. Don't forget, our Privacy tool is here to make your life easier. It streamlines your GDPR documentation compliance. This means you can put your focus back on what you're great at running your business.
For detailed insights into GDPR and privacy, visit our dedicated area on GDPR and privacy. If you'd like to know more about GDPR in general, here's everything you need to know about GDPR.
So, let's dive in and unravel the complexities of GDPR documentation.

List of Mandatory Documents Required by EU GDPR

This list gives you a quick snapshot of the essential documents for GDPR compliance. We'll delve into each of these in the following sections to provide a comprehensive guide.

  • Personal Data Protection Policy

  • Privacy Notice

  • Employee Privacy Notice

  • Data Retention Policy

  • Data Retention Schedule

  • Data Subject Consent Form

  • Parental Consent Form

  • DPIA Register

  • Supplier Data Processing Agreement

  • Data Breach Response and Notification Procedure

  • Data Breach Register

  • Data Breach Notification Form to the Supervisory Authority

  • Data Breach Notification Form to Data Subjects

GDPR Documentation Checklist

Navigating the maze of GDPR compliance may often feel overwhelming. The key to successful compliance has two main parts. First, you need to understand the legal language of GDPR. Second, it's crucial to put in place a series of documents. These documents help protect both you and the individuals whose data you're handling. In simple terms, these documents serve as the roadmap to your GDPR compliance journey.

The GDPR, or General Data Protection Regulation, has set a high standard for data protection worldwide. It governs how businesses collect, store, and manage personal data. You must be familiar with its scope, as even minor violations can lead to severe financial penalties. GDPR provides general principles for protecting data. However, the details of how to implement these principles often depend on your organization's documents.
In this section, we will explore each mandatory document required for GDPR compliance in depth. We'll provide you with a step-by-step guide for each, detailing what they are, what they mean, and who needs to comply with them. We'll also link to the relevant GDPR articles for each document, so you can delve deeper into the legal requirements as needed.
This checklist is a vital tool whether you're an experienced data protection officer or a business owner starting with compliance. By the end of this guide, you will have a clear picture of the documentation needed to align your organization with GDPR requirements.
Feel free to reference this checklist frequently. If you're looking for an efficient way to handle GDPR documentation, our Privacy tool is your answer. It's specifically designed to make the process simpler for you. You can even consult our comprehensive guide on GDPR for more information or explore our pricing plans for various support options.

Personal Data Protection Policy

This document outlines how your organization plans to protect personal data. It serves as a guide for employees and sets the standard for data handling practices. Ensuring this policy aligns with Article 24 of the GDPR is vital for compliance.

Privacy Notice

Your Privacy Notice is a public document that informs users how their personal data will be used, stored, and protected by your organization. This should align with Article 12, 13, and 14 of the GDPR

Employee Privacy Notice

Similar to the Privacy Notice, the Employee Privacy Notice is an internal document that tells your staff how their data will be handled. The specifics can be derived from Article 88 of the GDPR.

Data Retention Policy

This policy document states how long data will be stored and the guidelines for data deletion. It's critical to align this with Article 5(1)(e) and Article 5(2) of the GDPR.

Data Retention Schedule

This schedule offers a detailed breakdown of specific types of data and their corresponding retention periods, in compliance with your Data Retention Policy.

Data Subject Consent Form

This is the form data subjects fill out to give explicit consent for data processing. This is in line with Article 7 of the GDPR.

Parental Consent Form

When dealing with minors, parental consent is often needed. The form must be compliant with Article 8 of the GDPR.

DPIA Register

Data Protection Impact Assessment (DPIA) is a process that helps to evaluate how personal data is processed and to ensure it is compliant with the GDPR. The DPIA Register keeps track of all DPIAs carried out. It is crucial for compliance with Article 35 of the GDPR.

Read also: Data Privacy Risk Management - Best Practices & Frameworks

Supplier Data Processing Agreement

This agreement is between you and your suppliers that process personal data on your behalf. It should be in compliance with Article 28 of the GDPR.

Data Breach Response and Notification Procedure

This procedure outlines the steps your organization will take in case of a data breach. Adherence to Article 33 and 34 of the GDPR is mandatory for immediate action and communication in the event of a data breach.

Data Breach Register

This is a record of all data breaches, regardless of their severity, as mandated by Article 33 of the GDPR. It helps in the review and prevention of future incidents.

Data Breach Notification Form to the Supervisory Authority

In case of a data breach, this form is used to inform the supervisory authority, adhering to the guidelines in Article 33 of the GDPR.

Data Breach Notification Form to Data Subjects

This is the form used to inform affected data subjects in case of a data breach. It is in accordance with Article 34 of the GDPR.
Remember, each document plays a vital role in ensuring full GDPR compliance. While the process may seem daunting, our Privacy tool simplifies GDPR documentation, making the task far less overwhelming.

Feel free to consult our comprehensive guide to GDPR for a deeper dive into each of these requirements. For further inquiries, check out our pricing options.

Non-Mandatory, but Useful Documentation

While the mandatory documents are essential for GDPR compliance, you may need additional documents too. These become necessary under specific conditions. Those conditions are based on your data processing activities. They also depend on the volume of data you handle and the type of data transfer your organization undertakes. Below, we walk you through each of these "conditional" documents, detailing when you need them and what they entail.
  • Data Protection Officer Job Description

  • Project Plan for Complying with the EU GDPR

  • Standard Contractual Clauses for the Transfer of Personal Data to Controllers

  • Standard Contractual Clauses for the Transfer of Personal Data to Processors

Non-Mandatory, but Useful Documentation Checklist

Data Protection Officer Job Description

If your organization handles large amounts of sensitive data, you may need to appoint a Data Protection Officer (DPO). The same is true if your core activities involve regular monitoring of data subjects. The DPO's job description is a crucial document. It outlines the roles, responsibilities, and qualifications needed for this position. It helps both your staff and the appointed DPO understand what is expected Article 37 GDPR.

Record of Processing Activities

Under certain circumstances, you must maintain a record of all data processing activities. This record serves as a ledger detailing what data is being processed, by whom, and for what purpose. It's especially crucial for organizations that handle a diverse range of data categories Article 30 GDPR.


Standard Contractual Clauses for the Transfer of Personal Data to Controllers

When you transfer data to countries that are registered as "unsecured third countries" you need to provide an SCC. These are pre-approved clauses. They ensure that the recipient controller offers an adequate level of data protection Article 46 GDPR. Be aware of transfers to the U.S. Here companies can register under the Privacy Framework - read more here.

Standard Contractual Clauses for the Transfer of Personal Data to Processors

Also, for Data transfers to processors in unsecured countries, Standard Contractual Clauses are a must. These clauses aim to ensure that the processor handles the data with care. They also make sure the processor meets the protection levels required by the GDPR. Article 46 GDPR. Be aware of transfers to the U.S. Here companies can aswel register under the Privacy Framework.


By being proactive and preparing these extra documents, you'll be a step ahead in your GDPR compliance journey.

Helper swirl top

Simplify GDPR Documentation - Try .Legal’s Privacy Tool For Free

Left blob
  • Årshjul thumbnail

  • Risiko thumbnail

  • Behandlingsaktiviteter thumbnail

Right blob
Helper swirl bottom
joa i blob

Do you want to hear more about our free GDPR platform?

Book at meeting with our CPO Johannes here
Helper bottom swirl

Non-Mandatory, but Useful Documentation

You need to be compliant with the mandatory documentation. But there are also optional documents. These can enhance your compliance strategy. These documents are useful for specific scenarios or as a part of a data protection plan. Below are some non-mandatory but recommended documents:
  • EU GDPR Readiness Assessment

  • Project Plan for Complying with the EU GDPR

  • Employee Personal Data Protection Policy

  • Register of Privacy Notices

  • Guidelines for Data Inventory and Processing Activities Mapping

  • Data Subject Consent Withdrawal Form

  • Parental Consent Withdrawal Form

  • Data Subject Access Request Procedure

  • Data Subject Access Request Form

  • Data Subject Disclosure Form

  • Data Protection Impact Assessment Methodology

  • Cross Border Personal Data Transfer Procedure

  • Processor GDPR Compliance Questionnaire

  • Documents regulating security of personal data

Non-Mandatory, but Useful Documentation Checklist

EU GDPR Readiness Assessment

Before diving into GDPR compliance, it's helpful to gauge where you stand. An "EU GDPR Readiness Assessment" allows you to test your existing data protection measures. This is particularly useful for companies that are new to GDPR. Or companies that are unsure about their level of compliance.

Project Plan for Complying with the EU GDPR

Developing a project plan outlines the steps you need to take to achieve full GDPR compliance. It helps to set goals, allocate resources, and establish timelines. This offers a structured approach to what can be a complex process.

Employee Personal Data Protection Policy

While a broader Data Protection Policy is mandatory, having a tailored policy for employees can add another layer of security. This specialized document can cover details that are specific to your workforce. For example, it could outline the data collected during the recruitment process. It can also provide guidelines for how to handle personal data in internal communications.

Register of Privacy Notices

Keeping a record of all your privacy notices can serve as an excellent reference. This is particularly useful during internal reviews. It also serves value in the case of a data protection audit.

Guidelines for Data Inventory and Processing Activities Mapping

Proper data management starts with knowing what data you have and how it's processed. Guidelines for data inventory and mapping can provide a systematic way to keep track of your data processing activities.

Data Subject Consent Withdrawal Form

While it's mandatory to have a form for collecting consent, having a method for data subjects to withdraw consent is equally important. A straightforward procedure can simplify this process for both you and the data subjects. A pre-prepared form makes this process more streamlined for both parties.

Parental Consent Withdrawal Form

Similar to the data subject consent form, a withdrawal form should be in place if you collect data from minors. Parents or guardians should be able to withdraw consent easily.

Data Subject Access Request Procedure

This procedure outlines the steps a data subject must follow to access their data. It helps to ensure that data subjects know their rights and that your organization knows how to respond appropriately.

Data Subject Access Request Form

A standard form can make handling access requests easier. It streamlines the process for both data subjects and your organization. This helps enable efficient handling of these requests.

Data Subject Disclosure Form

This form is for data subjects to authorize the disclosure of their data to third parties. It ensures clarity and consent when sharing data externally.

Data Protection Impact Assessment Methodology

This document outlines the methods and criteria for conducting a Data Protection Impact Assessment (DPIA). While a DPIA register is mandatory for specific conditions, having a methodology in place is beneficial for all scenarios.

Read more about GDPR Risk Assessments here

Cross Border Personal Data Transfer Procedure

This outlines the protocols for transferring personal data across borders. It's particularly useful for organizations that operate internationally.

Processor GDPR Compliance Questionnaire

If you're using third-party processors, this questionnaire can be a valuable tool. It helps to assess and ensure that they are GDPR compliant.

Documents regulating security of personal data

These documents are comprehensive and cover two main areas. They outline the technical measures and the organizational measures you have in place for data security.

Each of these documents serves a purpose in creating a robust data protection framework. These documents can help in two ways. First, they can aid your compliance efforts. Second, they can simplify your GDPR documentation process..

GDPR Documentation Made Easy with .legal's Privacy Tool

Handling GDPR documentation is a complex task that demands meticulous attention to detail. The Privacy tool by .legal is designed to make this process effortless, helping you achieve GDPR compliance. Below, let's delve into the features and benefits of Privacy.
privacy left grafic

Let Privacy Guide You in Your Documentation Tasks

Starting your GDPR documentation can be a daunting task. That's where Privacy comes in. Privacy is a digital tool that simplifies the documentation and management of your organization's personal data processing. It offers features like templates created by legal experts and built-in help functionality, ensuring you're guided at every step. It's a platform designed to help you:
  • Get Started Quickly: Utilize our templates for a head start.
  • In-Built Guidance: Use the help functionality to navigate through compliance requirements.
  • Complete Overview: Store and manage all GDPR-related documentation.
Registrering af behandlingsaktiviteter-1

Store and Access Relevant Documents in One Place

Organization is key to managing GDPR compliance. Privacy allows you to prepare, store, and get an overview of all your GDPR documentation in one centralized location. You can assign roles to different users based on their responsibilities, delegate tasks, and even collaborate across departments. The tool aids in:
  • Task Delegation: Easily assign tasks related to data collection and compliance.
  • Access Control: Limit or expand access to documentation based on user roles.
  • Overview and Monitoring: Quickly see who needs to provide input and where there's a lack of documentation.

Comprehensive Support

Privacy is not just a tool but a complete support system for your GDPR compliance journey. Whether it's carrying out risk assessments or understanding your overall risk landscape, Privacy offers functionalities to streamline these processes. You'll be able to:
  • Assess Risks: Utilize the tool to perform risk assessments on your data processing activities.
  • Automated Risk Analysis: Get an automatic snapshot of the critical nature of your processes.
  • Continuous Improvement: The platform's ease of use ensures it's accessible, allowing for continuous improvements in your GDPR compliance journey.

Privacy by .legal is not just another software tool; it's a robust platform designed to simplify GDPR compliance, making it more efficient and less prone to error. Get started today.


+230 large and small companies use .legal