top of page


Often people start with documentation and the mandatory GDPR policies. However, merely having a GDPR policy in your cabinet doesn't make you GDPR compliant. The hard part is matching the puzzle so that your documentation reflects your data processing activities with the GDPR principles, security measures, responsibilities, and governance in practice. To actually work up to its standards. 

Our take on documentation is efficiency over quantity. We aim for all the mandatory and compliance aspects in easy-to-monitor lists, Standard Operational Procedures (SOP's) and policies, and train your team about what's in them so that your documentation matches your work and working systems.


Note that this is not an exhaustive list, but other documentation may be mandatory to monitor or document based on your activities.

Art. 5 (e) GDPR

Data Retention Policy

Set the parameters per type of data how long it shall be retained and if and how it shall be deleted.

Art. 6 (2) GDPR


When the legal basis for processing is a contract.

Art. 7 GDPR


When the legal basis for processing is consent.

Art. 8 GDPR

Parental consents

When the legal basis for processing is consent, but your data subjects are minors.

Art. 12 (3) GDPR

Data subject policy

Set out the internal process for data subjects to exercise their data protection rights.

Art. 13 GDPR

Privacy Policy

Be transparent about your data processing activities in your privacy policy.

Art. 24 GDPR

General Company Policy

Provide the parameters within where your company complies to the GDPR principles.

Art. 28 GDPR

Data Processing Contracts

Hold your external data processors accountable via data processing agreements.

Art. 30 GDPR

Record of Data Processing Activities

Keep a register of all your data processing activities, legal basis, data subjects and external processors, storage, retention, and transfers. (This Record is usually kept by your DPO.)

Art. 32 GDPR

Security policies
Design and implement your technical and organisational security measures. Include IT, Remote working, Audit, external vendors, etc.

Art. 34 GDPR

Data breach policy

Set out the internal process for data breaches. Who is responsible for what task, when to contact, how to mitigate in-adverse events. 

Art. 35 GDPR

Data Protection Impact Assessment (DPIA)

Assess risks when starting a new impactful data processing activity with potential risks for data subjects.

Art. 46 GDPR

Data Transfers

When internationally transferring data outside the EEA, follow the requirements from Chapter V, GDPR.

Art. 88 GDPR

Employee Policy

Provide transparency to employees about what data is being collected, if they are monitored and how, and what are their rights.

bottom of page