Data Protection Act 2018

81

Record of data processing activities

81. (1) A controller shall create and maintain a record in writing containing the following information in relation to each category of processing activity for which it is responsible:

(a) the identity and contact details of the controller and, where applicable, the controller’s data protection officer or any joint controller;

(b) a description of—

(i) the purpose of the processing,

(ii) the categories of personal data concerned,

(iii) the categories of data subjects to which the personal data relate,

(iv) the categories of recipients to which the personal data have been or will be disclosed, including recipients in a third country or an international organisation, if any,

(v) the categories of transfer of personal data to a third country or an international organisation, if any,

(vi) the legal basis for the processing operation for which the personal data are intended, including the transfer of the data, where applicable, and

(vii) where possible, the proposed time limit within which each category of personal data shall be erased;

(c) whether the processing involves the use of profiling;

(d) where possible, a general description of the technical and organisational security measures implemented in respect of the processing activity in accordance with section 72(1).

(2) A processor shall create and maintain a record in writing of each category of processing activity carried out by the processor on behalf of a controller containing the following information:

(a) the identity and contact details of—

(i) the processor,

(ii) each controller on behalf of which the processor is carrying out the processing, and

(iii) the processor’s data protection officer, where applicable;

(b) a description of each category of processing carried out on behalf of each controller;

(c) details of any transfer of personal data to a third country or an international organisation, if applicable, including the identification of the third country or international organisation to which the data are transferred;

(d) where possible, a general description of the technical and organisational security measures implemented in respect of the processing activity in accordance with section 72(1).

(3) A controller or processor shall, where requested to do so, make a record created and maintained pursuant to subsection (1) or (2), as the case may be, available to the Commission for inspection and examination.