Article 12
Record of processing activities
- The controller and the processor shall each maintain a record of their processing activities.
- The controller's record shall as a minimum contain:
- a. the identity of the controller;
- b. the purpose of processing;
- c. a description of the categories of data subjects and the categories of processed personal data;
- d. the categories of recipients;
- e. if possible, the retention period for the personal data or the criteria for determining this period;
- f. if possible, a general description of the measures taken to guarantee data security under Article 8;
- g. if the data are disclosed abroad, details of the State concerned and the guarantees under Article 16 paragraph 2.
- The processor's record shall contain information on identity of the processor and of the controller, the categories of processing carried out on behalf of the controller, and the information mentioned in paragraph 2 letters f and g.
- The federal bodies shall notify the FDPIC of their records of processing activities.
- The Federal Council shall provide exceptions for legal entities that have fewer than 250 employees and whose data processing poses a negligible risk of harm to the personality of the data subjects.