(1) Controllers and processors shall provide for logs to be kept for at least the following processing operations in automated processing systems:
- disclosure including transfers,
- combination, and
(2) The logs of consultation and disclosure must make it possible to ascertain the justification, date and time of such operations and, as far as possible, the identity of the person who consulted or disclosed personal data, and the identity of the recipients of the data.
(3) The logs may be used only by the data protection officer, the Federal Commissioner or the data subject to verify the lawfulness of the processing; and for self-monitoring, ensuring the integrity and security of the personal data, and for criminal proceedings.
(4) The log data shall be erased at the end of the year following the year in which they were generated.
(5) The controller and the processor shall make the logs available to the Federal Commissioner on request.