What GDPR Documentation Company Needs

Other GDPR Documents

When a company has already passed the first stage of GDPR implementation — created basic documents like RoPA, privacy policy, DPA — there appears a feeling that the hardest part is behind. But in practice, it is precisely the following documents that determine how well the personal data protection system will work daily, not just on paper.

It’s important to understand: most of them are not named in GDPR directly. However, they grow out of key principles — accountability, transparency, storage limitation, and ensuring security (Article 5 GDPR). And if a supervisory authority comes for an inspection, these documents will most often become proof that the company actually manages data processing, rather than simply declaring intentions.

Let’s examine each of them separately.

Data Sharing Agreement

This document is needed when a company transfers data to an independent controller — that is, a party that determines for itself why and how it will use the data. Example: a marketplace transfers information about a seller to a bank for identity verification. The bank does not carry out the marketplace’s instructions; it acts as an independent controller.

DSA helps describe:

• • why data is transferred,
  • what data is transferred,
  • who does what when data subjects make requests.

It is linked to transparency requirements (Art. 13–14 GDPR) and accountability (Art. 5(2) GDPR). Imagine a situation: a company transferred data to a partner without formalizing an agreement, and then couldn’t fulfill a deletion request because the partner refused to delete records. DSA prevents precisely such cases.

Joint Controllership Agreement

Joint control arises more often than it seems. For example, if a company and its partner jointly determine the purposes of data processing — as happens with joint marketing or the operation of a platform and sellers.

GDPR requires formalizing such relationships and establishing the roles and responsibilities of the parties. Without this, in the event of an incident, data subjects can make claims against both parties, and it will be difficult to prove the boundaries of responsibility.

Terms of Use

All users know this document, but few understand its role in GDPR. If data processing is based on a contract (Art. 6 GDPR), the terms of use help define the framework of obligations.

For example, a SaaS service is obliged to provide access to the product, and the user must provide data necessary for registration. If the terms are formulated vaguely, the company risks going beyond the “contract” and ending up in the zone of consent requirements.

Retention Policy

The principle of storage limitation (Art. 5(1)(e) GDPR) requires not storing data “just in case“. But without a formal document, companies rarely understand:

• • what data they have,
  • how long it’s stored,
  • when and how to delete it.

In our practice, there’s a case where such excessive data retention was disadvantageous to the company even from a cost perspective. It stored a list of email subscribers for five years, although half the addresses were inactive. After implementing a Data Retention Policy, the database was cut in half, and costs for data storage on the server and mailings significantly decreased.

Information Security Policy

This is the foundation of all technical and organizational measures. It describes:

• • who is responsible for security,
  • how access is granted,
  • what devices are permitted,
  • how incidents are prevented and handled.

Regulators often request precisely this document when verifying compliance with the principle of integrity and confidentiality (Art. 5(1)(f)). Without it, a company cannot prove a systematic approach to data protection.

Mobile Device Usage Rules

When employees use personal phones or laptops for work (BYOD model), risks increase dramatically. A lost phone with access to corporate email can become a source of leakage.

This document describes:

• • device requirements,
  • mandatory password protection,
  • encryption,
  • prohibition on storing data locally.

The absence of BYOD rules can work against a company when an employee downloads a client database onto a personal laptop “to work on the weekend“, and it gets stolen or hacked.

Rules for Processing Personal Data During Remote Work

Remote work has become the standard, but not all companies have adapted their processes. This document helps implement:

• • VPN,
  • two-factor authentication,
  • requirements for home Wi-Fi networks,
  • prohibition on using public networks.

A leak can even be related to working in a café using a connection to a publicly accessible Wi-Fi point. Such points may be insufficiently protected, and traffic can be intercepted by attackers.

Document on Internal Audits by the DPO

GDPR requires demonstrating compliance, not simply asserting it. Therefore, regular checks become a mandatory element of accountability (Art. 5(2)).

The document establishes:

• • how often an audit is conducted,
  • who participates,
  • how results are documented.

A critically important feature: each check must conclude with an action plan. In many companies, checks turn into a formality, and this document helps avoid “paper compliance“.

Procedure for Maintaining and Updating RoPA

Art. 30 GDPR requires a current register of processing activities. But in reality, RoPA is often created once — and forgotten.

This document establishes:

• • who is responsible for updating,
  • how changes are recorded,
  • how new processing activities are entered.

During inspections, supervisory authorities often compare actual processes and RoPA. If the register is outdated, this is perceived as a lack of control, even if the processes generally exist.

Procedure for Training and Testing Employee Knowledge

GDPR compliance is impossible without people’s participation. Most leaks occur due to employee errors: phishing emails, incorrect access settings, file forwarding.

This document defines:

• • how training is conducted,
  • how participation is recorded,
  • how knowledge is tested.

Regular training minimizes the risk that an employee themselves will become a source of risk.

Procedure for Disposing of Information Carriers

Even the strictest security policy won’t help if an old hard drive with data ends up at a flea market. This document describes:

• • how physical media are destroyed,
  • how data is deleted before transferring equipment,
  • what methods are used.

It is linked to the principles of storage limitation and confidentiality (Art. 5(1)(e),(f)). If a company sells laptops to former employees without wiping the drives, client data ends up in the open. The disposal procedure document prevents precisely such incidents.

These documents form the “operational core” of GDPR. They prove that a company hasn’t simply written a privacy policy, but actually manages data processing: controls access, trains employees, deletes outdated data, and regulates relationships with partners. It’s precisely the presence of such procedures that most often convinces regulators and clients that a business is mature, responsible, and deserves trust.

How to Create Documents for Regulation Compliance: 7 Tips

Start Not with Text, but with Processes

The most common business mistake is trying to immediately write a policy or agreement. But a document should describe what is already working, or launch a process that will be implemented. Therefore, the first step should always be strategy: how the company will build a personal data protection system and what resources it can allocate to this.

Good practice is to start with data and business process inventory. Until you yourself know what processes are happening inside, it’s impossible to create correct documents.

A useful tool is Data Flow Mapping — a diagram showing how data passes through systems. Based on it, RoPA, retention policy, DPA, and security processes are formed.

Focus on Risk

GDPR recognizes that achieving absolute compliance is impossible. Therefore, when developing documents, it’s important to prioritize: first — processing with high risk, then everything else.

Companies that try to “do everything at once” often spend resources on secondary documents, forgetting about critical processes. It’s much more effective to ask questions:

• • where is our most sensitive data?
  • who has access to it?
  • what risks are most likely?

And based on this, determine the development sequence.

Make Documents Understandable

Article 12 GDPR requires that public documents be understandable to an ordinary person. This sounds simple, but in practice many policies and procedures look like dry legal texts: long sentences, complex constructions, terms without explanations.

A user who has read such a policy will not feel trust. And most likely, they won’t even take on reading it.

Therefore, it’s important to:

• • write in simple “human” language,
  • structure information,
  • use visual elements, hints,
  • adapt the document to the audience.

If a document is understandable, it’s a sign of maturity of the personal data protection system.

Make Documents Unique and Keep Them Current

One of the most harmful practices is copying documents from competitors. In addition to obvious risks (others’ errors, inconsistency with processes), there are also curious cases: for example, when a small SaaS company’s policy has a section on video surveillance at production facilities, although it had neither an office nor cameras.

Documents must reflect:

• • real processes,
  • specific systems,
  • specific risks.

And they must be constantly updated. The process of updating RoPA, policies, or procedures must be formalized. If a company implements a new CRM or starts working with a new contractor, documents must change.

Regulators very quickly notice discrepancies between documents and reality. And this most often leads to claims.

Describe the Real Security Measures That Exist in the Company

Companies sometimes create an impression of security “on paper,” but upon inspection it turns out that technical measures have not been implemented. For example, a policy prohibits storing data locally, but employees continue downloading databases to laptops.

Therefore, when developing documents, it’s important to ask specific questions:

• • where is data physically stored?
  • who has access to the servers?
  • where do developers and support work?
  • what infrastructure is used?

Documents must describe real measures; otherwise, they turn into risks.

Involve Employees

GDPR is impossible through the efforts of a single DPO or lawyer alone. If employees don’t understand why it’s being done, delays, sabotage, and errors arise. Therefore, part of the documentation should be aimed at training and informing: instructions, rules, response processes.

Companies that explain privacy goals usually implement changes faster and encounter incidents less frequently.

How Does Professional Document Development Work?

Our team at Data Privacy Office Europe begins work not with templates, but with process analysis: we conduct interviews with process owners, audit existing practices, and assess real risks. After this, an implementation strategy is created, and only then documents.

Developing GDPR documents is truly similar to creating an architectural project. You can’t simply take someone else’s blueprint and hope it will fit. First, you need to study the “terrain” — processes and risks, then develop a strategy, and only after that create documentation that will work in reality. This approach not only helps comply with the GDPR, but also makes the business more resilient, secure, and attractive to clients and partners.

Understanding which documents are truly important and how to create them properly allows you to avoid overloading the business with bureaucracy while simultaneously meeting legislative requirements. The next step is to conduct an inventory of data and processes, determine priorities, and begin building documentation, starting with key documents. As the business develops, documents must be updated and adapted to changes. If you approach this systematically, documentation becomes not a burdensome obligation, but a working tool that strengthens the company and helps it grow safely.