Draw up a description of the nature, scope, context and purposes of the processing of personal data. Identify the controller and any processors.
The description should include information about why and how personal data are to be processed. The description can be based on the life cycle of personal data processing: from the collection and processing of the data to the storage and destruction of the data. The description must explain
- from where and how personal data will be collected
- the purposes of processing, the uses of the data and a description of the processing operations
- the resources to be used to process personal data (hardware, software, human resources, documents or channels used to transmit documents)
- the individuals who will have access to the data
- the parties to whom and the purposes for which the data will be disclosed
- the retention period for the data, and
- how the data will be securely destroyed.
The description should also explain how the processing operations and the associated decision-making process will be documented and how the impact assessment will be reviewed and updated, for example, if there is a change in a risk relating to the processing. If the processing is to be based on the controller’s or a third party’s legitimate interests, the systematic description must include a balance test.