Documentation

At a glance

You must maintain internal records of processing activities.
If a processor is acting on your behalf, the processer must also maintain a record of processing activities they are carrying out.
You and any associated processor may be required to make these records available to the Information Commissioner on request.

You must maintain internal records of processing activities including:

your name and details (and where applicable those of other controllers, your representative and data protection officer);
purposes of your processing;
description of the categories of individuals and categories of personal data;
categories of recipients of personal data;
details of transfers to third countries including documentation of the transfer mechanism safeguards in place;
your retention schedules; and
a description of your technical and organisational security measures.

If a processor is acting on your behalf, the processer must also maintain a record of processing activities they are carrying out including:

the name and contact details of the processor (and where applicable, of other processors, their representative and data protection officer);
the categories of processing carried out on your behalf;
details of transfers to third countries where explicitly instructed, including documentation of the transfer mechanism safeguards in place and identification of that third country; and
a description of technical and organisational security measures.

You and any associated processor may be required to make these records available to the Information Commissioner on request.