Each controller shall maintain a record of processing activities under its responsibility. That record shall contain the following information:
the name and contact details of the controller and, where applicable, the joint controller and the data protection officer or designated compliance contact;
the purposes of the processing;
a description of the categories of data subjects and the categories of personal data processed;
the categories of recipients to whom the personal data has been or will be disclosed, including recipients in foreign jurisdictions;
where applicable, a description of transfers of personal data to foreign jurisdictions, including the identification of those jurisdictions and, in the case of transfers in the absence of an adequacy determination under Article 22, the documentation of the appropriate safeguards relied upon;
where possible, the envisaged time limits for erasure of the different categories of data;
where possible, a general description of the technical and organisational security measures referred to in Article 18(1).
Each processor shall maintain a record of all categories of processing activities carried out on behalf of a controller. That record shall contain the following information:
the name and contact details of the processor or processors and of each controller on whose behalf the processor is acting, and, where applicable, the data protection officer or designated compliance contact of the controller or the processor;
the categories of processing carried out on behalf of each controller;
where applicable, a description of transfers of personal data to foreign jurisdictions, including the identification of those jurisdictions and the documentation of the appropriate safeguards relied upon;
where possible, a general description of the technical and organisational security measures referred to in Article 18(1).
The records referred to in paragraphs 1 and 2 shall be maintained in writing, including in electronic form. Given the digital-first character of the Principality of Kaharagia and the absence of a physical territory, electronic record-keeping shall be the standard means of compliance with this obligation.
The controller or the processor shall make the records referred to in this Article available to the supervisory authority on request. The supervisory authority may prescribe the format in which such records are to be maintained or transmitted.
The obligations set out in paragraphs 1 and 2 shall not apply to a controller or processor employing fewer than five persons, unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes sensitive personal data as defined in Article 2 of this Code.