You are on page 1of 61

Name and contact details

Name
Address
Email
Telephone

Business function Purpose of processing


Controller
Data Protection Officer (if applicable)
Name
Address
Email
Telephone

Name and contact details of joint Categories of individuals


controller (if applicable)
Representative (if applicable)
Name
Address
Email
Telephone

Article 30 Record of Processing Activities

Categories of personal data Categories of recipients


g Activities

Names of third countries or international


Link to contract with processor organisations that personal data are
transferred to (if applicable)
Safeguards for exceptional transfers of
personal data to third countries or Retention schedule (if possible)
international organisations (if applicable)
General description of technical and Article 6 lawful basis for processing
organisational security measures (if personal data
possible)
Privacy Notices

Article 9 condition for processing special Legitimate interests for the processing (if
category data applicable)
Privacy Notices

Link to record of legitimate interests Rights available to individuals


assessment (if applicable)
Existence of automated decision-making, The source of the personal data (if
including profiling (if applicable) applicable)
Consent Access Requests

Link to record of consent Location of personal data


Data Protection Impact Assessments

Data Protection Impact Assessment Data Protection Impact Assessment


required? progress
ssments Personal Data Breaches

Link to Data Protection Impact Has a personal data breach occurred?


Assessment
Personal Data Breaches Data Protec

Data Protection Act 2018 Schedule 1


Link to record of personal data breach Condition for processing
Data Protection Act 2018 - Special Category or Criminal Conviction and Offence data

Link to retention and erasure policy


GDPR Article 6 lawful basis for processing document
nal Conviction and Offence data

Is personal data retained and erased in Reasons for not adhering to policy
accordance with the policy document? document (if applicable)
Name and contact details
Name Example controller
Address Street, city, postcode
Email Email address
Telephone Tel. number

Business function Purpose of processing

Finance Payroll
Finance Payroll
Finance Payroll
Finance Payroll
Human Resources Personnel file
Human Resources Personnel file
Human Resources Personnel file
Human Resources Personnel file
Human Resources Personnel file
Human Resources Recruitment
Human Resources Recruitment
Human Resources Recruitment
Human Resources Recruitment
Human Resources Recruitment
Human Resources Recruitment
Human Resources Recruitment
Human Resources Recruitment
Human Resources Recruitment
Human Resources Recruitment

Sales Direct marketing

Sales Direct marketing

Sales Direct marketing

Sales Direct marketing


Controller
Data Protection Officer (if applicable)
Name Example DPO
Address Street, city, postcode
Email Email address
Telephone Tel. number

Name and contact details of joint Categories of individuals


controller (if applicable)

N/A Employees
N/A Employees
N/A Employees
N/A Employees
N/A Employees
N/A Employees
N/A Employees
N/A Employees
N/A Employees
N/A Successful candidates
N/A Successful candidates
N/A Successful candidates
N/A Successful candidates
N/A Successful candidates
N/A Unsuccessful candidates
N/A Unsuccessful candidates
N/A Unsuccessful candidates
N/A Unsuccessful candidates
N/A Unsuccessful candidates

N/A Existing customers

N/A Existing customers

N/A Potential customers

N/A Potential customers


Representative (if applicable)
Name N/A
Address N/A
Email N/A
Telephone N/A

Article 30 Record of Processing Activities

Categories of personal data Categories of recipients

Contact details HMRC


Bank details HMRC
Pension details HMRC
Tax details HMRC
Contact details N/A
Pay details N/A
Annual leave details N/A
Sick leave details N/A
Performance details N/A
Contact details Referee
Qualifications N/A
Employment history N/A
Ethnicity N/A
Disability details N/A
Contact details N/A
Qualifications N/A
Employment history N/A
Ethnicity N/A
Disability details N/A

Contact details Processor - marketing co.

Purchase history Processor - marketing co.

Contact details Processor - marketing co.

Lifestyle information Processor - marketing co.


g Activities

Names of third countries or international


Link to contract with processor organisations that personal data are
transferred to (if applicable)

N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A

Link N/A

Link N/A

Link N/A

Link N/A
Safeguards for exceptional transfers of
personal data to third countries or Retention schedule (if possible)
international organisations (if applicable)

N/A 5 years post-employment


N/A 3 years post-employment
N/A 75 years post-employment
N/A 6 years post-employment
N/A 6 years post-employment
N/A 6 years post-employment
N/A 6 years post-employment
N/A 6 years post-employment
N/A 6 years post-employment
N/A 6 years post-employment
N/A 6 years post-employment
N/A 6 years post-employment
N/A 6 years post-employment
N/A 6 years post-employment
N/A 6 months post-campaign
N/A 6 months post-campaign
N/A 6 months post-campaign
N/A 6 months post-campaign
N/A 6 months post-campaign

N/A End of customer relationship

N/A End of customer relationship

N/A 1 year post-campaign

N/A 1 year post-campaign


General description of technical and Article 6 lawful basis for processing
organisational security measures (if personal data
possible)

Encrypted storage and transfer Article 6(1)(c) - legal obligation


Encrypted storage and transfer Article 6(1)(c) - legal obligation
Encrypted storage and transfer Article 6(1)(c) - legal obligation
Encrypted storage and transfer Article 6(1)(c) - legal obligation
Encrypted storage Article 6(1)(b) - contract
Encrypted storage, access controls Article 6(1)(b) - contract
Encrypted storage, access controls Article 6(1)(b) - contract
Encrypted storage, access controls Article 6(1)(b) - contract
Encrypted storage, access controls Article 6(1)(b) - contract
Encrypted storage and transfer Article 6(1)(b) - contract
Encrypted storage, access controls Article 6(1)(b) - contract
Encrypted storage, access controls Article 6(1)(b) - contract
Encrypted storage, access controls Article 6(1)(b) - contract
Encrypted storage, access controls Article 6(1)(b) - contract
Encrypted storage, access controls Article 6(1)(b) - contract
Encrypted storage, access controls Article 6(1)(b) - contract
Encrypted storage, access controls Article 6(1)(b) - contract
Encrypted storage, access controls Article 6(1)(b) - contract
Encrypted storage, access controls Article 6(1)(b) - contract

Encrypted storage and transfer Article 6(1)(a) - consent

Encrypted storage and transfer Article 6(1)(a) - consent

Encrypted storage and transfer Article 6(1)(a) - consent

Encrypted storage and transfer Article 6(1)(a) - consent


Privacy Notices

Article 9 condition for processing special Legitimate interests for the processing (if
category data applicable)

N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Article 9(2)(b) - employment N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Article 9(2)(b) - employment N/A
Article 9(2)(b) - employment N/A
N/A N/A
N/A N/A
N/A N/A
Article 9(2)(b) - employment N/A
Article 9(2)(b) - employment N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A
Privacy Notices

Link to record of legitimate interests Rights available to individuals


assessment (if applicable)

N/A Access and rectification


N/A Access and rectification
N/A Access and rectification
N/A Access and rectification
N/A Access and rectification
N/A Access and rectification
N/A Access and rectification
N/A Access and rectification
N/A Access and rectification
N/A Access, data portability, rectification
N/A Access, data portability, rectification
N/A Access, data portability, rectification
N/A Access, data portability, rectification
N/A Access, data portability, rectification
N/A Access, data portability, rectification
N/A Access, data portability, rectification
N/A Access, data portability, rectification
N/A Access, data portability, rectification
Access, data portability, rectification
Access, data portability, rectification,
N/A objection, erasure
Access, data portability, rectification,
N/A objection, erasure
Access, data portability, rectification,
N/A objection, erasure
Access, data portability, rectification,
N/A objection, erasure
Existence of automated decision-making, The source of the personal data (if
including profiling (if applicable) applicable)

No Data subject
No Data subject
No Controller
No Controller
No Data subject
No Controller
No Controller
No Controller
No Controller
Yes Data subject
Yes Data subject
Yes Data subject
No Data subject
No Data subject
Yes Data subject
Yes Data subject
Yes Data subject
No Data subject
No Data subject

Yes Data subject

Yes Data subject

Yes Data broker co.

Yes Data broker co.


Consent Access Requests

Link to record of consent Location of personal data

N/A Finance payroll system


N/A Finance payroll system
N/A Finance pension system
N/A Finance payroll system
N/A HR personnel system
N/A HR personnel system
N/A HR personnel system
N/A HR personnel system
N/A HR personnel system
N/A HR Recruitment system
N/A HR Recruitment system
N/A HR Recruitment system
N/A HR Recruitment system
N/A HR Recruitment system
N/A HR Recruitment system
N/A HR Recruitment system
N/A HR Recruitment system
N/A HR Recruitment system
N/A HR Recruitment system

Link Sales system, data processor

Link Sales system, data processor

Link Sales system, data processor

Link Sales system, data processor


Data Protection Impact Assessments

Data Protection Impact Assessment Data Protection Impact Assessment


required? progress

No N/A
No N/A
No N/A
No N/A
No N/A
No N/A
No N/A
No N/A
No N/A
Yes Completed
Yes Completed
Yes Completed
No N/A
No N/A
Yes Completed
Yes Completed
Yes Completed
No N/A
No N/A

Yes Completed

Yes Completed

Yes Completed

Yes Completed
ssments Personal Data Breaches

Link to Data Protection Impact Has a personal data breach occurred?


Assessment

N/A No
N/A No
N/A No
N/A No
N/A No
N/A No
N/A No
N/A No
N/A No
Link No
Link No
Link No
N/A No
N/A No
Link No
Link No
Link No
N/A No
N/A No

Link No

Link No

Link No

Link No
Personal Data Breaches Data Protection

Data Protection Act 2018 Schedule


Link to record of personal data breach Condition for processing

N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A Sch.1, Pt.1, 1 - Employment
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A Sch.1, Pt.1, 1 - Employment
N/A Sch.1, Pt.1, 1 - Employment
N/A N/A
N/A N/A
N/A N/A
N/A Sch.1, Pt.1, 1 - Employment
N/A Sch.1, Pt.1, 1 - Employment

N/A N/A

N/A N/A

N/A N/A

N/A N/A
Data Protection Act 2018 - Special Category or Criminal Conviction and Offence data

Link to retention and erasure policy


GDPR Article 6 lawful basis for processing document

N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Article 6(1)(b) - contract Link
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Article 6(1)(b) - contract Link
Article 6(1)(b) - contract Link
N/A N/A
N/A N/A
N/A N/A
Article 6(1)(b) - contract Link
Article 6(1)(b) - contract Link

N/A N/A

N/A N/A

N/A N/A

N/A N/A
nal Conviction and Offence data

Is personal data retained and erased in Reasons for not adhering to policy
accordance with the policy document? document (if applicable)

N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Yes N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Yes N/A
Yes N/A
N/A N/A
N/A N/A
N/A N/A
Yes N/A
Yes N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A
Notes
Use this template to document the processing activities you undertake
as a controller.

Headings highlighted green are required areas of documentation under


Article 30 of the GDPR or Schedule 1 of the Data Protection Act 2018.

Headings highlighted blue are optional areas of documentation that are


not required under Article 30 of the GDPR or Schedule 1 of the Data
Protection Act 2018.
Instructions
1. Complete your organisation’s name and contact details in cells B3-
B6.
2. Complete your data protection officer’s name and contact details (if
applicable) in cells D3-D6.
3. Complete your representative’s name and contact details (if
applicable) in cells F3-F6.

4. Document your organisation’s processing activities, starting in cell


A10, and working from left to right. Where necessary use multiple rows
for each processing activity in order to be as granular as possible (see
example tab).
Guidance
For more detailed guidance on documentation, please see the Guide to
GDPR on our website.