The Data Protection Officer (DPO) is required to keep a register of all the processing operations on personal data carried out by the Commission. The register, which must contain information explaining the purpose and conditions of all processing operations, is accessible to any interested person.

The notifications kept in the database should provide at least the following information:

  • the name and address of the controller and an indication of the organisational parts of an institution or body entrusted with the processing of personal data for a particular purpose;
  • the purposes of the processing;
  • a description of the categories of data subjects and of the data relating to them;
  • the legal basis of the processing operation for which the data are intended;
  • the recipients to whom the data might be disclosed;
  • a general indication of the time limits for blocking and erasure of the different categories of data;
  • proposed transfers of data to third countries or international organisations;
  • a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken pursuant to Article 22 to ensure security of processing.

Access to register