Data Protection Act 2018
Record of data processing activities | ||
81. (1) A controller shall create and maintain a record in writing containing the following information in relation to each category of processing activity for which it is responsible: | ||
(a) the identity and contact details of the controller and, where applicable, the controller’s data protection officer or any joint controller; | ||
(b) a description of— | ||
(i) the purpose of the processing, | ||
(ii) the categories of personal data concerned, | ||
(iii) the categories of data subjects to which the personal data relate, | ||
(iv) the categories of recipients to which the personal data have been or will be disclosed, including recipients in a third country or an international organisation, if any, | ||
(v) the categories of transfer of personal data to a third country or an international organisation, if any, | ||
(vi) the legal basis for the processing operation for which the personal data are intended, including the transfer of the data, where applicable, and | ||
(vii) where possible, the proposed time limit within which each category of personal data shall be erased; | ||
(c) whether the processing involves the use of profiling; | ||
(d) where possible, a general description of the technical and organisational security measures implemented in respect of the processing activity in accordance with section 72 (1). | ||
(2) A processor shall create and maintain a record in writing of each category of processing activity carried out by the processor on behalf of a controller containing the following information: | ||
(a) the identity and contact details of— | ||
(i) the processor, | ||
(ii) each controller on behalf of which the processor is carrying out the processing, and | ||
(iii) the processor’s data protection officer, where applicable; | ||
(b) a description of each category of processing carried out on behalf of each controller; | ||
(c) details of any transfer of personal data to a third country or an international organisation, if applicable, including the identification of the third country or international organisation to which the data are transferred; | ||
(d) where possible, a general description of the technical and organisational security measures implemented in respect of the processing activity in accordance with section 72 (1). | ||
(3) A controller or processor shall, where requested to do so, make a record created and maintained pursuant to subsection (1) or (2), as the case may be, available to the Commission for inspection and examination. |