Article 30 of the GDPR contains an obligation for data controllers and processors to maintain a record of processing activities in certain circumstances. However, there are exceptions to the requirement, known as the derogation. The derogation essentially exempts micro, small and medium-sized organisations from this recordkeeping requirement. There are, however, certain types of processing, such as processing relating to special category data, to which the derogation does not apply. In response to requests for clarification, the EU’s advisory body on data protection issues, the Article 29 Working Party (WP29), has issued a Position Paper on the derogation from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR. The Position Paper confirms that, on a plain reading of Article 30(5), those categories are not cumulative and any one of them can trigger the recordkeeping requirement for such organisations.
Article 30(5) says that the obligation to keep a record of processing activities does not apply “to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10”.
The derogation, as the WP29 points out, is therefore not absolute. There are three types of processing to which it does not apply:
- Processing that is likely to result in a risk (not just a high risk) to the rights and freedoms of individuals.
- Processing that is not occasional.
- Processing that includes special categories of data or personal data relating to criminal convictions and offences.
The WP29 underlines that the wording of Article 30(5) is clear in providing that the three types of processing to which the derogation does not apply are alternative (hence “or”) and the occurrence of any one of them alone triggers the recordkeeping obligation.
In other words, any data controller or processor, even one with fewer than 250 employees, who finds itself in the position of either carrying out processing likely to result in any risk to the rights of the individual, or processing personal data on a non-occasional basis, or processing special categories of data under Article 9(1) or data relating to criminal convictions under Article 10, is obliged to maintain the record of processing activities. However, organisations with fewer than 250 employees need only maintain records of processing activities for those types of processing.
The WP29 position paper provides an example of processing that is not “occasional”. A small organisation is likely to regularly process data regarding its employees. Such processing clearly cannot be considered “occasional” and must therefore be included in the record of processing activities. The WP29 considers that a processing activity can only be considered as “occasional” if it is not carried out regularly and occurs outside the regular course of business or activity of the controller or processor. Other processing activities which are in fact “occasional”, however, do not need to be included in the record of processing activities, provided they are unlikely to result in a risk to the rights and freedoms of relevant individuals and do not involve special categories of data or personal data relating to criminal convictions and offences.
According to the WP29, maintaining a record of processing activities is unlikely to constitute a particularly heavy burden. The advisory body considers it “a very useful means to support an analysis of the implications of any processing whether existing or planned. The record facilitates the factual assessment of the risk of the processing activities performed by a controller or processor on individuals’ rights, and the identification and implementation of appropriate security measures to safeguard personal data – both key components of the principle of accountability contained in the GDPR.” Nonetheless, the WP29 recognises that the recordkeeping obligation represents a new administrative requirement for controllers and processors. It therefore calls on national data protection authorities to support SMEs by providing tools to facilitate the set-up and management of records of processing activities. For example, it would like DPAs to provide “a simplified model” that SMEs can use to keep records of processing activities not covered by the Article 30(5) derogation.