The organization must maintain written, accurate, and up-to-date records of all personal data processing activities. These records must be retained for the entire duration of the processing and for at least five years after completion. Records should be securely stored and organized to allow prompt access when requested by the competent authority.

Each record must include, at a minimum:

• The controller’s name, contact details, and where applicable, the data protection officer’s information.
• The specific purposes for which personal data is processed.
• Descriptions of the categories of personal data and data subjects involved.
• Retention periods defined for each data category, where possible.
• Categories of recipients or third parties to whom data is disclosed.
• Details of any personal data transfers outside the state, including their legal basis and intended recipients.
• A description of the organizational, administrative and technical measures implemented to protect personal data.

The organization must ensure that these records remain accurate, regularly reviewed, and readily available to demonstrate compliance with data protection requirements.

The organization must establish and enforce a clear policy for monitoring personal data to ensure all activities are legitimate and necessary. The policy is required to describe:

• the legitimate purpose of the monitoring
• the necessity and proportionality of the tools, methods of monitoring
• establishing clear rules that prohibit access to or use of stored monitoring data for any other reason than fulfilling the original purpose
• the implementation of technical and administrative controls to enforce these rules
• the maximum retention period for stored data, which must not exceed five years

Organisaatio on tunnistanut mahdolliset lainkäyttöalueiden väliset henkilötietojen siirrot.

Henkilötietojen siirroille lainkäyttöalueiden välillä on tunnistetut ja dokumentoidut oikeusperusteet.