Data protection records
All EU institutions have the legal obligation to keep a central register of records of activities processing personal data (Article 31 of Regulation 2018/1725).
The register shall contain at least the following information (Article 31(1) of the Regulation):
- name and contact details of the controller, the data protection officer and, where applicable, the processor and the joint controller;
- the purposes of the processing;
- description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed;
- where applicable, transfers of personal data to a third country or an international organisation and the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures to protect those personal data.
The list of records of EMCDDA activities processing personal data is below.