At a glance

  • You must maintain internal records of processing activities.
  • If a processor is acting on your behalf, the processer must also maintain a record of processing activities they are carrying out.
  • You and any associated processor may be required to make these records available to the Information Commissioner on request.

In brief

What do I need to record?

You must maintain internal records of processing activities including:

  • your name and details (and where applicable those of other controllers, your representative and data protection officer);
  • purposes of your processing;
  • description of the categories of individuals and categories of personal data;
  • categories of recipients of personal data;
  • details of transfers to third countries including documentation of the transfer mechanism safeguards in place;
  • your retention schedules; and
  • a description of your technical and organisational security measures.

If a processor is acting on your behalf, the processer must also maintain a record of processing activities they are carrying out including:

  • the name and contact details of the processor (and where applicable, of other processors, their representative and data protection officer);
  • the categories of processing carried out on your behalf;
  • details of transfers to third countries where explicitly instructed, including documentation of the transfer mechanism safeguards in place and identification of that third country; and
  • a description of technical and organisational security measures.

You and any associated processor may be required to make these records available to the Information Commissioner on request.