Obligations for the controller and the processor set out by the GDPR

Keeping records of processing activities

This obligation relates to both, controller and processor. To ensure accountability in the processing of personal data, controllers and processors must maintain records of the processing activities carried out under their responsibility and provide them to the supervisory authorities where requested.

Documentation should include the following:

• name and contact details of the controller, and of the joint controller, the controller’s representative and the DPO, where applicable,
• purposes of the processing,
• description of the categories of data subjects and of the categories of personal data related to the processing,
• information on the categories of recipients to whom personal data have been, « will be, disclosed;
• information on whether transfers of personal data to third countries or interna¬tional organisations have been, or will be, carried out;
• where possible, the time limits foreseen for the deletion of the different categories of personal data, as well as an overview of the technical measures adopted to ensure the security of processing.