In addition to the processing directory, the GDPR also provides for the documentation of technical and organisational measures. These are the measures that the company implements to protect the processing of personal data. 

The list of technical and organisational measures (also known as TOMs) is based on the topics listed in Article 32 GDPR. The TOMs are documented for the entire organisation or company. Alongside the processing directory and the deletion concept, they are an important part of the data protection documentation. 

Below you will find a template for documenting the TOMs with questions to help you draw up the measures. The TOMs always document the current status of the measures. 

If you cannot provide any or only a few details at one point or another, check this point again in your organisation or company and implement further measures if necessary.

Template

• Documentation of the technical and organisational measures with instructions for completion (docx-File)