All EU institutions are legally obliged to keep a central register of records of processing activities (Article 31 of Regulation 2018/1725).

  • the name and contact details of the controller, the data protection officer and, where applicable, the processor and the joint controller; 

  • the purposes of processing; 

  • a description of the categories of data subjects and the categories of personal data; 

  • the categories of recipients to whom the personal data have been or will be disclosed; 

  • where applicable, transfers of personal data to a third country or an international organisation, with documentation of suitable safeguards; 

  • where possible, the time after which the different categories of data will be erased; where possible, a general description of the technical and organisational security measures taken to protect those personal data.

You may find the old format of the ECA records registry here.

The ECA is currently revamping its registry – the following list of ECA controllers and their personal data processing records is still under construction.