(1) The controller shall keep a record of all categories of processing activities under its responsibility. This record shall contain all of the following information:
- the name and contact details of the controller and, where applicable, of the joint controller; and the name and contact details of the data protection officer;
- the purposes of the processing;
- the categories of recipients to whom the personal data have been or are to be disclosed;
- a description of the categories of data subjects and of the categories of personal data;
- where applicable, the use of profiling;
- where applicable, the categories of transfers of personal data to bodies in a third country or to an international organization;
- information about the legal basis for the processing;
- the envisaged time limits for the erasure or for a review of the need to store the various categories of personal data; and
- a general description of the technical and organizational security measures referred to in Section 64.
(2) The processor shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing
- the name and contact details of the processor, of each controller on behalf of which the processor is acting and, where applicable, the data protection officer;
- where applicable, transfers of personal data to bodies in a third country or to an international organization, including the identification of that third country or international organization; and
- a general description of the technical and organizational security measures according to Section 64.
(3) The records referred to in subsections 1 and 2 shall be in writing or in electronic form.
(4) Controllers and processors shall make these records available to the Federal Commissioner on request.
