RODO documentation

RODO documentation-preparation and its essence

Pursuant to the General Data Protection Regulation of April 27, 2016, and in force from May 25, 2018, all companies and entrepreneurs are required to keep records in a manner consistent with the personal data protection policy. The regulation itself lacks an exhaustive enumeration of the required documentation and detailed security and data storage procedures.

Preparing RODO documentation – what steps should be taken?

The basis for starting the preparation of documentation compliant with the GDPR is to conduct an audit in terms of compliance of the existing documentation with the Regulation. Sanctions are imposed on companies or entrepreneurs who keep incomplete documentation or do not meet statutory requirements, usually in the form of significant fines. The documentation itself includes both internal procedures and compliance with the GDPR must be disclosed to third parties, for example in the form of a privacy policy posted on the website, as well as in the form of information obligations.

Internal documentation is also divided into three main subgroups: enabling the settlement of the requirements of the GDPR, supporting security procedures and registers. Documentation from each of the three groups mentioned above must be included in the company’s internal documentation. Appropriate procedures should also be prepared in the event of personal data breaches, for example through data leakage from the system or the transfer of data by an employee to an unauthorized entity.

What documentation should be prepared to comply with RODO?

Documentation can be divided into required and recommended. During the inspection, no sanctions will be imposed for the lack of recommended documentation, but it will facilitate both the functioning of the company and facilitate and speed up the inspection. The required documentation includes:

  • Data retention rules
  • Privacy by design and privacy by default principles
  • Organizational structure for data protection
  • Authorization procedure
  • Handling personal data protection incidents
  • Personal data protection impact assessment
  • Implementation of the rights of persons whose data may concern
  • Record of processing activities
  • Register of categories of processing activities
  • In addition, information clauses and consent clauses are necessary.


    Recommended documentation includes, for example, information materials for employees, a description of security measures or training or internal audit procedures.


What is the purpose of preparing so much documentation in connection with RODO?

In view of the numerous obligations imposed on entities processing personal data, it is also necessary to keep detailed documentation that would allow for the proper performance of these obligations. The main purpose of having most of the required documentation is not to fulfill a specific obligation, but to prove its correct implementation. In addition, the preparation of such documentation certainly ensures the security of data not only of employees, but also of other persons whose company processes data. They also need to know how this data is collected and stored, and appropriately prepared documentation is to serve this purpose. If you need help in checking the compliance of your documentation with the requirements of the GDPR or in its preparation, please contact our law firm.