Which of the following must be recorded by controllers but not by processors regarding personal data processing?

The requirement for controllers to record the purpose of processing personal data is foundational to data protection laws, such as the General Data Protection Regulation (GDPR). Controllers are the entities that determine the purposes and means of processing personal data, and thus they bear the responsibility of being transparent about why personal data is being processed. This is essential for accountability and compliance with data protection principles.

In contrast, processors operate under the instruction of controllers and are responsible for processing personal data on their behalf. While processors have to maintain records of their processing activities, they do not need to specify the purposes of processing as this is defined and determined by the controller. The purpose of processing is inherently linked to the controller's role and obligations under the regulation, making it essential for them to keep this information documented.

Therefore, the correct choice emphasizes the unique obligations of controllers in terms of understanding and documenting the rationale behind their data processing activities, reinforcing their accountability and transparency in handling personal data.