Section 39
The Data Controller shall maintain, at least, the following
records in order to enable the data subject and the Office to check upon, which can be either in
a written or electronic form:
(1)the collected Personal Data;
(2)the purpose of the collection of the Personal Data in each category;
(3)details of the Data Controller;
(4)the retention period of the Personal Data;
(5)rights and methods for access to the Personal Data, including the conditions regarding
the Person having the right to access the Personal Data and the conditions to access such Personal Data ;
(6)the use or disclosure under
section 27
paragraph three;
(7)the rejection of request or objection according to
section 30
paragraph three,
section 31
paragraph three,
section 32
paragraph three, and
section 36
paragraph one;
(8)explanation of the appropriate security measures pursuant to
section 37 (1).
The provisions in paragraph one shall apply to the representative of the Data Controller
under
section 5
paragraph two mutatis mutandis.
The provisions in (1), (2), (3), (4), (5), (6) and (8) may not apply to the Data Controller
who is a small organization pursuant to the rules as prescribed by the Committee,
unless the collection, use, or disclosure of such Personal Data is likely to result
in a risk to the rights and freedoms of data subjects, or not a business where the collection,
use, or disclosure of the Personal Data is occasional, or involving in the collection, use,
or disclosure of the Personal Data pursuant to
section 26 .