Controller's record of processing activities

Indicate the name and contact details of the controller and possible joint controller, possible representative of the controller and the Data Protection Officer.

Controller refers to a natural person, legal entity, authority, agency or other body that determines the purposes and methods of personal data processing, either alone or in cooperation with others. The controller can also be defined in legislation.

If a minimum of two controllers jointly determine the purposes and methods of processing, such parties constitute joint controllers. As for controllers, joint controllers can also be provided for in legislation.

Controller's representative refers to a natural person or legal entity established in the European union to whom the controller has given a written authorisation to act on its behalf. The representative represents the controller in matters involving the controller's obligations based on the GDPR.

The Data Protection Officer is a person who assists the controller, with special expertise in data protection legislation and practices, and who monitors compliance with the GDPR in the organisation.

The organisation must define a specific legal purpose for all data it processes in its operations. Describe all purposes individually in the record, for example, by indicating the task of the controller that requires the processing of personal data. The purposes must be described in sufficient detail. In addition to the actual purpose of processing the personal data, the purpose also defines which types of personal data it is necessary for the organisation to collect and for how long it is necessary to store the data.

Data processing refers to all activities involving personal data. For example, the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data constitutes processing.

You should also indicate the basis for processing provided for in the GDPR. The basis for and, in certain cases, purpose of processing have an impact on the rights of the data subject under the GDPR, among other things.

Data subjects are natural persons whose personal data is being processed.

Describe the nature of the data subjects (e.g. customers, employees, patients) and the personal data processed (e.g. identifying data, such as name, date of birth, contact details; information on the services ordered by the customer, their delivery and invoicing, etc.) in the record.

All information related to an identified or identifiable natural person constitutes personal data. An identifiable natural person is one who can be identified, directly or indirectly, by an identifier (such as the name, personal identity code, location data or online identifiers) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Recipient means a natural person, legal entity, public authority, agency or another body, to which personal data is disclosed. Recipients are not limited to third parties, but also include, in addition to external controllers, joint controllers and processors to whom personal data is transferred or disclosed.

Describe the categories of recipients in the record, including international organisations and recipients established in third countries. The recipient must have legitimate grounds for processing personal data.

Specify the categories of recipients as precisely as possible. For example, describe the type (e.g. with a reference to the processing activities carried out by the recipient), industry, sector and place of establishment of the recipient.

However, you are not required to describe the authorities to which personal data is disclosed for the purpose of specific investigations provided for in Union or Member State law, as these parties do not constitute recipients as defined in the GDPR. Authorities are required to process data in accordance with the purpose of processing and in compliance with data protection rules.

Indicate in the record whether data is transferred to third countries or international organisations. If yes, specify the countries and organisations. The record also indicates the paragraph of the GDPR and corresponding mechanism that permits the transfer of data, such as a decision of the Commission provided for in Article 45, the binding corporate rules provided for in Article 47 or the standard data protection clauses provided for in Article 46, paragraph 2.

If the transfer to a third country or international organisation is based on the specific situation referred to in Article 49, the second subparagraph of paragraph 1, describe the documentation of suitable safeguards in the record.

Describe the planned erasure deadlines for the various data categories or the criteria by which the storage times of data will be defined.

The storage times are related to the principles of minimisation of data and storage limitation. Storage times or the criteria for their definition can be derived from, for example, statutory storage times or the industry's code of practice. The specified storage time must indicate the duration of processing. Stating that the personal data will be stored for as long as required to achieve certain legal purposes will not suffice.

If you have different storage times for different categories of personal data or for personal data processed for different purposes, indicate each storage time.

For example, state how the data is protected from access by outsiders, how access rights have been restricted within the organisation, and how the use of the personal data is monitored. The organisation can draw up a model for sanctions resulting from misuse, for example, and add a link to the model to this section of the record. Other equivalent internal information can also be appended to this section.

If detailed information on or links to, e.g., information security practices are provided in the record, protect the record from access by unauthorised persons.