PART 3Law enforcement processing
CHAPTER 4Controller and processor
General obligations
61Records of processing activities
1
Each controller must maintain a record of all categories of processing activities for which the controller is responsible.
2
The controller’s record must contain the following information—
a
the name and contact details of the controller;
b
where applicable, the name and contact details of the joint controller;
c
where applicable, the name and contact details of the data protection officer;
d
the purposes of the processing;
e
the categories of recipients to whom personal data has been or will be disclosed (including recipients in third countries or international organisations);
f
a description of the categories of—
i
data subject, and
ii
personal data;
g
where applicable, details of the use of profiling;
h
where applicable, the categories of transfers of personal data to a third country or an international organisation;
i
an indication of the legal basis for the processing operations, including transfers, for which the personal data is intended;
j
where possible, the envisaged time limits for erasure of the different categories of personal data;
k
where possible, a general description of the technical and organisational security measures referred to in section 66.
3
Each processor must maintain a record of all categories of processing activities carried out on behalf of a controller.
4
The processor’s record must contain the following information—
a
the name and contact details of the processor and of any other processors engaged by the processor in accordance with section 59(3);
b
the name and contact details of the controller on behalf of which the processor is acting;
c
where applicable, the name and contact details of the data protection officer;
d
the categories of processing carried out on behalf of the controller;
e
where applicable, details of transfers of personal data to a third country or an international organisation where explicitly instructed to do so by the controller, including the identification of that third country or international organisation;
f
where possible, a general description of the technical and organisational security measures referred to in section 66.
5
The controller and the processor must make the records kept under this section available to the Commissioner on request.