http://www.legislation.gov.uk/id/eudr/2016/680

CHAPTER IV Controller and processor

Section 1 General obligations

Article 24Records of processing activities

1.

Member States shall provide for controllers to maintain a record of all categories of processing activities under their responsibility. That record shall contain all of the following information:

(a)

the name and contact details of the controller and, where applicable, the joint controller and the data protection officer;

(b)

the purposes of the processing;

(c)

the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

(d)

a description of the categories of data subject and of the categories of personal data;

(e)

where applicable, the use of profiling;

(f)

where applicable, the categories of transfers of personal data to a third country or an international organisation;

(g)

an indication of the legal basis for the processing operation, including transfers, for which the personal data are intended;

(h)

where possible, the envisaged time limits for erasure of the different categories of personal data;

(i)

where possible, a general description of the technical and organisational security measures referred to in Article 29(1).

2.

Member States shall provide for each processor to maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

(a)

the name and contact details of the processor or processors, of each controller on behalf of which the processor is acting and, where applicable, the data protection officer;

(b)

the categories of processing carried out on behalf of each controller;

(c)

where applicable, transfers of personal data to a third country or an international organisation where explicitly instructed to do so by the controller, including the identification of that third country or international organisation;

(d)

where possible, a general description of the technical and organisational security measures referred to in Article 29(1).

3.

The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

The controller and the processor shall make those records available to the supervisory authority on request.