The Records of processing activities should represent documentation of all activities around personal data processing within your Organization.
As per Article 30, each controller (and where applicable) the controller‘s representative needs to have an updated record of processing activities that contains:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organizational security measures referred to in Article 32(1).