Each controller and his/her representative if necessary, must keep a record of all processing activities that they are responsible for in accordance with Article 30 GDPR.

This record must contain the following information:

  • the purpose of the processing;
  • a description of the categories of data subjects and the categories of personal data;
  • the recipients or the categories of recipients to whom the personal data has been or will be disclosed;
  • if possible the established deadlines for the deletion of the different data categories;
  • if possible, a general description of the technical and organizational data protection measures.

This processing record must be submitted if requested to do so by the supervisory committee (data protection authority) and can be used to prove compliance with the aforementioned basic principles.