On April 19th 2018 the Article 29 Working Party (hereinafter, the “WP29”) published a position paper on the derogations from the obligation to maintain records of processing activities contained in Article 30 (5) of the EU General Data Protection Regulation (“GDPR”).
Under Article 30 of the GDPR, controllers and processors of personal data are required to maintain records of processing activities carried out under their responsibility or carried out on behalf of the controller.
However, by virtue of Article 30 (5), organisations or enterprises employing fewer than 250 persons are exempted from that obligation, unless where
- the processing is likely to result in a high risk to the rights of the data subject;
- the processing is not occasional;
- the processing includes special categories of data relating to criminal convictions and offences.
First of all, the WP29 underlines that the exemption provided by Article 30(5) GDPR is not absolute, insofar as the occurrence of any of the three types of processing activities mentioned above triggers the obligation to maintain records limited to that specific processing activity.
To the contrary, types of processing activities not mentioned in Article 30 (5) may be disregarded by an enterprise employing fewer than 250 persons.
Following this, the WP29 highlights that the record is a very useful means to support an analysis of the implications of any processing, facilitating the factual assessment of the risk of the processing activities and the identification and implementation of appropriate security measures.
To this end, the WP29 encourages national Supervisory Authorities to support SMEs by providing tools to facilitate the set up and management of records of processing activities.
In order to comply with these indications, SMEs employing fewer than 250 persons shall
- check whether any processing activity carried out is likely to result in a high risk to the rights of the data subject, or is not occasional, or includes special categories of data, or data relating to criminal convictions and offences;
- the occurrence of any of one of the conditions listed above triggers the obligations to set up and maintain records of the processing activities relating to either one of the types of processing concerned.