http://www.legislation.gov.uk/id/ukpga/2018/12/enacted

PART 3Law enforcement processing

CHAPTER 4Controller and processor

General obligations

61Records of processing activities

1

Each controller must maintain a record of all categories of processing activities for which the controller is responsible.

2

The controller’s record must contain the following information—

a

the name and contact details of the controller;

b

where applicable, the name and contact details of the joint controller;

c

where applicable, the name and contact details of the data protection officer;

d

the purposes of the processing;

e

the categories of recipients to whom personal data has been or will be disclosed (including recipients in third countries or international organisations);

f

a description of the categories of—

i

data subject, and

ii

personal data;

g

where applicable, details of the use of profiling;

h

where applicable, the categories of transfers of personal data to a third country or an international organisation;

i

an indication of the legal basis for the processing operations, including transfers, for which the personal data is intended;

j

where possible, the envisaged time limits for erasure of the different categories of personal data;

k

where possible, a general description of the technical and organisational security measures referred to in section 66.

3

Each processor must maintain a record of all categories of processing activities carried out on behalf of a controller.

4

The processor’s record must contain the following information—

a

the name and contact details of the processor and of any other processors engaged by the processor in accordance with section 59(3);

b

the name and contact details of the controller on behalf of which the processor is acting;

c

where applicable, the name and contact details of the data protection officer;

d

the categories of processing carried out on behalf of the controller;

e

where applicable, details of transfers of personal data to a third country or an international organisation where explicitly instructed to do so by the controller, including the identification of that third country or international organisation;

f

where possible, a general description of the technical and organisational security measures referred to in section 66.

5

The controller and the processor must make the records kept under this section available to the Commissioner on request.