ISO 27701
EN
Records related to processing PII
The organization should determine and securely maintain the necessary records in support of its obligations for the processing of PII. ... - Licensed content not shown -
GDPR (EU)
5.2: Article(5)(2): The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability')
24.1: Article(24)(1): Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
30.1.a: Article(30)(1)(a): Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: (a)the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer
30.1.b: Article(30)(1)(b): Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: (b) the purposes of the processing
30.1.c: Article(30)(1)(c): Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: (c) a description of the categories of data subjects and of the categories of personal data
30.1.d: Article(30)(1)(d): Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: (d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations
30.1.f: Article(30)(1)(f): Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: (f) where possible, the envisaged time limits for erasure of the different categories of data
30.1.g: Article(30)(1)(g): Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: (g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
30.3: Article(30)(3): The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
30.4: Article(30)(4): The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.
30.5: Article(30)(5): The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.