Section 39

The Data Controller shall maintain, at least, the following

records in order to enable the data subject and the Office to check upon, which can be either in
a written or electronic form:

(1)the collected Personal Data;

(2)the purpose of the collection of the Personal Data in each category;

(3)details of the Data Controller;

(4)the retention period of the Personal Data;

(5)rights and methods for access to the Personal Data, including the conditions regarding

the Person having the right to access the Personal Data and the conditions to access such Personal Data ;

(6)the use or disclosure under section 27 paragraph three;

(7)the rejection of request or objection according to section 30 paragraph three,

section 31 paragraph three, section 32 paragraph three, and section 36 paragraph one;

(8)explanation of the appropriate security measures pursuant to

section 37 (1).

The provisions in paragraph one shall apply to the representative of the Data Controller under section 5

paragraph two mutatis mutandis.

The provisions in (1), (2), (3), (4), (5), (6) and (8) may not apply to the Data Controller

who is a small organization pursuant to the rules as prescribed by the Committee,
unless the collection, use, or disclosure of such Personal Data is likely to result
in a risk to the rights and freedoms of data subjects, or not a business where the collection,
use, or disclosure of the Personal Data is occasional, or involving in the collection, use,
or disclosure of the Personal Data pursuant to section 26 .