Select Page

Section 70 Records of processing activities

(1) The controller shall keep a record of all categories of processing activities under its responsibility. This record shall contain all of the following information:

  1. the name and contact details of the controller and, where applicable, of the joint controller; and the name and contact details of the data protection officer;
  2.  the purposes of the processing;
  3. the categories of recipients to whom the personal data have been or are to be disclosed;
  4. a description of the categories of data subjects and of the categories of personal data;
  5. where applicable, the use of profiling;
  6. where applicable, the categories of transfers of personal data to bodies in a third country or to an international organization;
  7. information about the legal basis for the processing;
  8. the envisaged time limits for the erasure or for a review of the need to store the various categories of personal data; and
  9. a general description of the technical and organizational security measures referred to in Section 64.

(2) The processor shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing

  1. the name and contact details of the processor, of each controller on behalf of which the processor is acting and, where applicable, the data protection officer;
  2. where applicable, transfers of personal data to bodies in a third country or to an international organization, including the identification of that third country or international organization; and
  3. a general description of the technical and organizational security measures according to Section 64.

(3) The records referred to in subsections 1 and 2 shall be in writing or in electronic form.

(4) Controllers and processors shall make these records available to the Federal Commissioner on request.