Records of processing activities
(1) The controller shall keep a record of all categories of processing activities under its responsibility. This record shall contain all of the following information:
1. the name and contact details of the controller and, where applicable, of the joint controller; and the name and contact details of the data protection officer;
2. the purposes of the processing;
3. the categories of recipients to whom the personal data have been or are to be disclosed;
4. a description of the categories of data subjects and of the categories of personal data;
5. where applicable, the use of profiling;
6. where applicable, the categories of transfers of personal data to bodies in a third country or to an international organisation;
7. information about the legal basis for the processing;
8. the envisaged time limits for the erasure or for a review of the need to store the various categories of personal data; and
9. a general description of the technical and organisational security measures referred to in Section 64.
(2) The processor shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing
1. the name and contact details of the processor, of each controller on behalf of which the processor is acting and, where applicable, the data protection officer;
2. where applicable, transfers of personal data to bodies in a third country or to an international organisation, including the identification of that third country or international organisation; and
3. a general description of the technical and organisational security measures according to Section 64.
(3) The records referred to in subsections 1 and 2 shall be in writing or in electronic form.
(4) Controllers and processors shall make these records available to the Federal Commissioner on request.