As a rule, the management of a company must ensure that the requirements of the GDPR are complied with. A separate data protection officer may need to be appointed (internally or externally). To clarify this, a
data protection impact assessment (DPIA) is recommended, for example.
According to the General Data Protection Regulation (GDPR), personal data is any information relating to an identified or identifiable natural person.
A DPA must be concluded with your company's service providers in accordance with the GDPR if personal data is transferred to them in order to carry out data processing activities on your behalf.
The purpose of the processing directory is to provide an overview of all processes in which personal data is processed. It ensures transparency and traceability of data processing in the company.
You can find out more about the Ropa and download a free sample here.
Technical and organizational measures should ensure that the integrity and confidentiality of personal data in particular are maintained and that processing is secure. Depending on the type of data your company processes, TOMs may need to be more or less detailed.
You can read more about TOMs here.