At a glance
- As well as your obligation to provide comprehensive, clear and transparent privacy policies (see section on Individual rights), if your organisation has more than 250 employees, you must maintain additional internal records of your processing activities.
- If your organisation has less than 250 employees you are required to maintain records of activities related to higher risk processing, such as:
- processing personal data that could result in a risk to the rights and freedoms of individual; or
- processing of special categories of data or criminal convictions and offences.
What do I need to record?
You must maintain internal records of processing activities. You must record the following information:
- name and details of your organisation (and where applicable, of other controllers, your representative and data protection officer);
- purposes of the processing;
- description of the categories of individuals and categories of personal data;
- categories of recipients of personal data;
- details of transfers to third countries including documentation of the transfer mechanism safeguards in place;
- retention schedules; and
- description of technical and organisational security measures.
You may be required to make these records available to the relevant supervisory authority for purposes of an investigation.