Bonus expert support worth 500 EUR
with the EU GDPR Documentation Toolkit
Limited-time offer – ends June 30, 2022.

Expert Advice Community


Internal audit of management systems and GDPR

Guest user Created:   May 23, 2022 Last commented:   May 29, 2022

Internal audit of management systems and GDPR

I have an inquiry regarding the conduct of reporting internal management systems and the GDPR. In our internal audit reports of our management system, we include the names and position of the audit participants. Will this pose a breach in the GDPR? Also, part of the report, as an attachment, is the attendance list containing the names and positions. Is this also a breach as per GDPR?
0 0

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Tudor Galos May 29, 2022

In general this is not a breach of GDPR because there are no significant risks to the freedoms and rights of the data subjects, but you need to take a few things into consideration to make sure that the processing is fully compliant with the GDPR requirements. Since the name and position of employees are personal data per article 4 GDPR – Definitions, listing these categories of personal data in different reports and attachments is considered to be the processing of personal data. Whenever you are assessing whether the processing of personal data is GDPR-compliant, you must make sure that the processing is necessary (and the same objective cannot be obtained without processing personal data) and that it respects all GDPR principles described in Article 5 GDPR - Principles relating to the processing of personal data:

  • Lawfulness, fairness, and transparency (employees understand that their data is published in these reports).
  • Purpose limitation (there is a clear scope of processing).
  • Data minimization (only data necessary for the purpose is being processed).
  • Accuracy.
  • Storage limitation (define clear retention timelines after which the data should be anonymized).
  • Security

The legal ground for this processing could be the legitimate interest of the organization to create meaningful reports that can be used internally and that allows other employees to contact people who worked for these reports/audits. In this case, you should also perform a Legitimate Interest Assessment and allow employees to exercise their right to objection, according to article 21 GDPR – Right to object.


Please also consult these links:

Tudor Galos
0 1

Comment as guest or Sign in

HTML tags are not allowed

May 23, 2022

May 29, 2022

Suggested Topics

Guest user Created:   Jun 22, 2022 EU GDPR
Replies: 0
0 0

Doubts about ODPR or GDPR

Guest user Created:   Jun 21, 2022 EU GDPR
Replies: 2
0 0

Split between EU GDPR and UK GDPR

Guest user Created:   Jun 14, 2022 EU GDPR
Replies: 1
0 0

Change of GDPR document