Register of processing activities
Each controller and, where appropriate, the controller's representative shall keep a register of the processing activities carried out under their responsibility. That register shall contain all of the following information:
the name and contact details of the controller and any joint controllers, and, where appropriate, of the controller's representative and the data protection officer;
processing purposes;
A description of the categories of data subjects and categories of personal data;
the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of the appropriate safeguards;
if possible, the intended time periods within which the different categories of data should be deleted;
if possible, a general description of the technical and organizational security measures referred to in Article 32 (1).
The processor, and, where appropriate, the processor's representative, shall keep a register of all categories of processing activities carried out by them on behalf of a controller. This register shall contain the following information:
the name and contact details of the processors and of each controller on whose behalf the processor acts, and, where appropriate, of the controller's or processor's representative and of the data protection officer;
The categories of processing carried out on behalf of each controller;
where applicable, transfers of personal data to a third country or an international organization, specifying that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
if possible, a general description of the technical and organizational security measures referred to in Article 32 (1).
The register referred to in paragraphs 1 and 2 shall be in written form, including in electronic form.
Upon request, the controller or processor and, where appropriate, the representative of the controller or processor shall make the register available to the supervisory authority.
The obligations referred to in paragraphs 1 and 2 shall not apply to enterprises or organizations employing fewer than 250 persons, unless the processing they carry out is likely to present a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing involves special categories of data referred to in Article 9(1) or personal data relating to criminal convictions and offenses referred to in Article 10.
