NAALA | Not An Average Legal Advisor

Checklist Privacy Documentation

By: Amy Eikelenboom – Co-Founder at NAALA 

Published on 14 July, 2021

Amy Eikelenboom

Co-founder of NAALA

Published on 14 July 2021

Do you find yourself being responsible for more requirements than you anticipated due to the processing of personal data? As you may know, all data subjects (the natural persons you process data of) deserve protection of their personal information and have rights related to their personal data.  

These requirements result in a set of documentation that needs to be in place. We make a distinction between ‘internal’ and ‘external’ documentation. With internal documentation we mean all documentation that is required to structure the processes within your organization. This means, for example, a process to notify supervisory authorities of a data breach or to give substance to a data request. 

With external documentation, we refer to documentation that you (the organization) must provide to your data subjects about the processing activities you perform.  

The principles related to the processing of personal data (art. 5, GDPR) play an important role in answering why certain types of documentation need to be available and what they must contain.

The data processing principles are the following: 

  1. The processing shall be lawful, fair and transparent; 
  2. The personal data shall not be further processed in a manner that is incompatible with the purpose for which the data was initially processed; 
  3. Only the minimal data required for the purpose shall be processed; 
  4. Personal data shall be and remain accurate; 
  5. Personal data shall not be processed longer than is necessary for the purpose;
  6. Appropriate security of the personal data shall be ensured.  

Article 5 contains another principle that addresses data controller. They shall be responsible for, and be able to demonstrate compliance with, the beforementioned principles. That is where the documentation comes in. 

External Documentation: 

  • Privacy (and cookie) statement – explaining in simple words to your users, website visitors and/or employees how, why and when the processing of personal data takes place.
  • Consent form – if applicable, you might need to ask for (parental) consent in order to process personal data.
  • Data Processing Agreement – you must agree with your (sub)processor on the data protection activities you expect them to adhere to (as well). 

Internal Documentation:

  • Privacy Policy – overarching document within your organization to manage privacy;
  • Data retention policy – describing how long which types of data may be stored and how to erase it securely;
  • Data Protection Impact Assessment – the impact assessment you will perform in case of a new processing activity. The results of these DPIA’s should also be documented;
  • Data Breach Procedure: describing what a data breach is, how it should be handled and notified. 


Yes. Both as a Data Processor and Data Controller, you shall have some documentation available depending on your role. For much documentation it is true that the Data Processor refers to the Data Controller. Nonetheless, within your own role you also need to have the Data Processing Agreements available, have an overview of what types of data you process for which Data Controller and have an internal policy to ensure the correct handling of personal data within your organization. Additionally, you also might be data controller for other parts of your business. For example, personal information of your employees or personal data from your clients.  

Checklist Privacy Documentation

Questions? We are happy to discuss your specific case.


The importance of information security in health care is emphasized. Medical data, such as patient data, has a particularly sensitive nature. The frequent (digital) storage and sharing of this sensitive information must be secure and following privacy legislation, hence a high information security standard is required. ISO 27001 provides guidelines to organizations for secure storage and sharing of information. NEN 7510 is a Dutch information security standard specifically for the healthcare industry.

As a developer of e-health solutions or software as a medical device, you are not only the manufacturer in charge of ensuring the quality of the product. In addition, you’re responsible for information security and data protection. That is why we at NAALA take a holistic approach into ensuring compliance to all requirements while ensuring efficiency of efforts put into compliance. But what does the overlap between MDR, GDPR and information security standards mean? Aren’t these separate processes.

Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only. Changes in legal or regulatory requirements may occur at short notice, which we cannot reflect on a daily basis. 

Liked the article? Maybe others will too. Feel free to share!