Section 22 - Processing of special categories of personal dataSection 23 - Processing for other purposes by public bodiesSection 24 - Processing for other purposes by private bodiesSection 25 - Transfer of data by public bodiesSection 26 - Data processing for employment-related purposesSection 27 - Data processing for purposes of scientific or historical research and for statistical purposesSection 28 - Data processing for archiving purposes in the public interestSection 29 - Rights of the data subject and powers of the supervisory authorities in the case of secrecy obligationsSection 30 - Consumer loansSection 31 - Protection of commercial transactions in the case of scoring and credit reportsSection 32 - Information to be provided where personal data are collected from the data subjectSection 33 - Information to be provided where personal data have not been obtained from the data subjectSection 34 - Right of access by the data subjectSection 35 - Right to erasureSection 36 - Right to objectSection 37 - Automated individual decision-making, including profilingSection 38 - Data protection officers of private bodiesSection 39 - AccreditationSection 40 - Supervisory authorities of the LänderSection 41 - Application of provisions concerning criminal proceedings and proceedings to impose administrative finesSection 42 - Penal provisionsSection 43 - Provisions on administrative finesSection 44 - Proceedings against a controller or processor
Section 45 - ScopeSection 46 - DefinitionsSection 47 - General principles for processing personal dataSection 48 - Processing of special categories of personal dataSection 49 - Processing for other purposesSection 50 - Processing for archiving, scientific and statistical purposesSection 51 - ConsentSection 52 - Processing on instructions from the controllerSection 53 - ConfidentialitySection 54 - Automated individual decisionSection 55 - General information on data processingSection 56 - Notification of data subjectsSection 57 - Right of accessSection 58 - Right to rectification and erasure and to restriction of processingSection 59 - Modalities for exercising the rights of the data subjectSection 60 - Right to lodge a complaint with the Federal CommissionerSection 61 - Legal remedies against decisions of the Federal Commissioner or if he or she fails to take actionSection 62 - Processing carried out on behalf of a controllerSection 63 - Joint controllersSection 64 - Requirements for the security of data processingSection 65 - Notifying the Federal Commissioner of a personal data breachSection 66 - Notifying data subjects affected by a personal data breachSection 67 - Conducting a data protection impact assessmentSection 68 - Cooperation with the Federal CommissionerSection 69 - Prior consultation of the Federal CommissionerSection 70 - Records of processing activitiesSection 71 - Data protection by design and by defaultSection 72 - Distinction between different categories of data subjectsSection 73 - Distinction between facts and personal assessmentsSection 74 - Procedures for data transfersSection 75 - Rectification and erasure of personal data and restriction of processingSection 76 - LoggingSection 77 - Confidential reporting of violationsSection 78 - General requirementsSection 79 - Data transfers with appropriate safeguardsSection 80 - Data transfers without appropriate safeguardsSection 81 - Other data transfers to recipients in third countriesSection 82 - Mutual assistanceSection 83 - CompensationSection 84 - Penal provisions

Section 70

Records of processing activities

(1) The controller shall keep a record of all categories of processing activities under its responsibility. This record shall contain all of the following information:
1. the name and contact details of the controller and, where applicable, of the joint controller; and the name and contact details of the data protection officer;
2. the purposes of the processing;
3. the categories of recipients to whom the personal data have been or are to be disclosed;
4. a description of the categories of data subjects and of the categories of personal data;
5. where applicable, the use of profiling;
6. where applicable, the categories of transfers of personal data to bodies in a third country or to an international organisation;
7. information about the legal basis for the processing;
8. the envisaged time limits for the erasure or for a review of the need to store the various categories of personal data; and
9. a general description of the technical and organisational security measures referred to in Section 64.
(2) The processor shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing
1. the name and contact details of the processor, of each controller on behalf of which the processor is acting and, where applicable, the data protection officer;
2. where applicable, transfers of personal data to bodies in a third country or to an international organisation, including the identification of that third country or international organisation; and
3. a general description of the technical and organisational security measures according to Section 64.
(3) The records referred to in subsections 1 and 2 shall be in writing or in electronic form.
(4) Controllers and processors shall make these records available to the Federal Commissioner on request.