For the purposes of Article 30 of the Regulations, a Data Controller and Data Processor must record the following information in relation to a Data Processing operation:

(A) the identity and contact details of the Data Controller;
(B) the purposes of the Processing;
(C) the lawful basis, as set out in Article 10 of the Regulations, for the Processing;
(D) descriptions of the categories of Data Subjects and the categories of Personal Data;
(E) the categories of Recipients to whom the Personal Data have been or will be disclosed;
(F) if applicable, transfers of Personal Data to a jurisdiction outside the QFC or to another Person, including the details of the jurisdiction or the other Person and, in the case of a transfer referred to in Article 24 of the Regulations, the documentation of suitable safeguards;
(G) the envisaged time limits for retention of the different categories of Personal Data;
(H) a general description of the technical and organisational measures referred to in Article 29(1) of the Regulations.