Documentation
At a glance
- You must maintain internal records of processing activities.
- If a processor is acting on your behalf, the processer must also maintain a record of processing activities they are carrying out.
- You and any associated processor may be required to make these records available to the Information Commissioner on request.
In brief
What do I need to record?
You must maintain internal records of processing activities including:
- your name and details (and where applicable those of other controllers, your representative and data protection officer);
- purposes of your processing;
- description of the categories of individuals and categories of personal data;
- categories of recipients of personal data;
- details of transfers to third countries including documentation of the transfer mechanism safeguards in place;
- your retention schedules; and
- a description of your technical and organisational security measures.
If a processor is acting on your behalf, the processer must also maintain a record of processing activities they are carrying out including:
- the name and contact details of the processor (and where applicable, of other processors, their representative and data protection officer);
- the categories of processing carried out on your behalf;
- details of transfers to third countries where explicitly instructed, including documentation of the transfer mechanism safeguards in place and identification of that third country; and
- a description of technical and organisational security measures.
You and any associated processor may be required to make these records available to the Information Commissioner on request.