Acts 2017
497
(2) The Commissioner may, at any reasonable time during
working hours, carry out further inspection and assessment of the security
measures imposed on a controller or processor under section 31.
33.
Record of processing operations
(1) Every controller or processor shall maintain a record of all
processing operations under his or its responsibility.
(2)
The record shall set out –
(a) the name and contact details of the controller or
processor, and, where applicable, his or its representative
and any data protection officer;
(b)
the purpose of the processing;
(c)
a description of the categories of data subjects and of
personal data;
(d)
a description of the categories of recipients to whom
personal data have been or will be disclosed, including
recipients in other countries;
(e)
any transfers of data to another country, and, in the
case of a transfer referred to in section 36, the suitable
safeguards;
(f)
where possible, the envisaged time limits for the erasure
of the different categories of data; and
(g) the description of the mechanisms referred to in
section 22 (3).
(3) The controller or processor shall, on request, make the record
available to the Office.
PART V – PROCESSING OPERATIONS LIKELY TO PRESENT RISK
34.
Data protection impact assessment
(1) Where processing operations are likely to result in a high
risk to the rights and freedoms of data subjects by virtue of their nature,