Are work notes on paper or in a notebook considered data processing by GDPR?


Considering that such notes can contain personal information, you must establish an order for storing notes. GDPR does not only refer to information collected/documented electronically. GDPR terms for data protection also impact written lists which contain personal information.

There are data (physical, in paper form) stored in archive, but they are not available electronically and references to them are not found in the electronic catalogue. Do these data fall under GDPR and will be considered if there is a data breach?

GDPR refers to all information containing personal data which is being stored. For data on paper, you must establish an order for storing the data:

  • You must determine who has access (access should be narrowed down to the least amount of people).
  • You must order data according to criteria/words/other parameters so you could find data in case of need.
  • You must establish a storage period that is justified by the purpose for storage.
  • You must define the order of destroying data.