Records of processing activities

60.(1) A data controller and, where applicable, the data controller's representative, shall maintain a record of processing activities under its responsibility and that record shall contain all of the following:

(a) the name and contact details of the data controller and, where applicable, the joint data controller, the data controller's representative and the data privacy officer;

(b) the purposes of the processing;

(c) a description of the categories of data subjects and of the categories of personal data;

(d) the categories of recipients to whom the personal data has been or will be disclosed including recipients in other countries or international organisations;

(e) where applicable, transfers of personal data to another country or an international organisation, including the identification of that country or international organisation and, in the case of transfers referred to in section 26, the documentation of suitable safeguards;

(f) where possible, the envisaged time limits for erasure of the different categories of data;

(g) where possible, a general description of the technical and organisational security measures referred to in section 62(1).

(2) A data processor and, where applicable, the data processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a data controller, which contains:

(a) the name and contact details of the data processor or data processors and of each data controller on behalf of whom the data processor is acting, and, where applicable, of the data controller's or the data processor's representative, and the data privacy officer;

(b) the categories of processing carried out on behalf of each data controller;

(c) where applicable, transfers of personal data to another country or an international organisation, including the identification of that country or international organisation and, in the case of transfers referred to in section 26, the documentation of suitable safeguards;

(d) where possible, a general description of the technical and organisational security measures referred to in section 62(1).