The Article 29 Working Party (WP29) has published a position paper on the scope of the derogation from the obligation to maintain records of processing activities. Article 30.5 provides that the record-keeping obligation does not apply to organisations with less than 250 employees in certain circumstances. The WP29 has stated that the position paper was published as a result of a high number of requests from companies received by national Supervisory Authorities. Despite the existence of the derogation, the WP29 encourages SMEs to maintain records of their processing activities, as it is a useful means of assessing the risk of processing activities on individuals’ rights, and identifying and implementing appropriate security measures to safeguard personal data. In light of the new accountability principle in the GDPR, requiring organisations to be able to demonstrate how they comply with their GDPR obligations, it would certainly be prudent for all organisations, regardless of size, to maintain such records.

The position paper makes it clear that all organisations, without exception, must maintain a record of processing in regard for human resources (HR) data, as such processing cannot be considered “occasional“. Accordingly, all organisations must ensure they can present records relating to HR data to their supervisory authority post-May 2018, if requested. This will entail the controller keeping a record of the types of HR data processed, the categories of data subjects (i.e. employees, ex-employees, candidates, consultants), the purposes of the processing, the recipients of such data (e.g. any third party service providers), the data retention periods for each type of HR data processed, details of any non-EEA transfers of HR data, and the security measures in place to protect such data.

Background – What records does the GDPR require controllers and processors to maintain?

Article 30 of the GDPR requires data controllers and processors to maintain records of their processing activities, “in writing, including in electronic form“, and to make these records available to their supervisory authority on request.

Article 30.1 of the GDPR requires each data controller to maintain a record of processing activities which must include the following information:

  • the name and contact details of the controller and, where applicable any joint controllers, the controller’s representative, and the Data Protection Officer (DPO);
  • a description of the categories of data subjects and types of personal data;
  • the purposes of the processing;
  • the categories of recipients of the personal data
  • data retention periods for different types of personal data
  • details of non-EEA data transfers and safeguards in place
  • a description of the technical and organisational security measures in place

Article 30.2 of the GDPR requires each processor, and where applicable the processor’s representative, to maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

  • the name and contact details of the processor(s) and of each controller on behalf of which the processor is acting, and where applicable of the controller or processor’s representative) and the DPO
  • the categories of processing carried out on behalf of the controller
  • details of non-EEA transfers and safeguards in place
  • a description of the technical and organisational security measures in place

What derogations exist?

Article 30.5 contains a derogation from the record-keeping obligation for organisations employing fewer than 250 employees. However, this derogation is not absolute. It does not apply in regard to three types of processing, including: (I) processing that is likely to result in a risk to the rights and freedoms of data subjects (ii) processing that is not occasional (the WP29 considers that a processing activity is “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor), or (iii) processing that includes special categories of data (i.e. sensitive data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation) or data relating to criminal convictions and offences

The WP29 emphasises that the three types of processing to which the derogation does not apply are alternative and the occurrence of any one of them alone triggers the obligation to maintain a record of processing activities. However, organisations with less than 250 employees need only maintain records of processing activities for the particular types of processing mentioned in (I) to (iii) above. Other processing activities do not need to be included in the record of processing activities.

The WP29 encourages Supervisory Authorities to support organisations by making available on their websites a simplified model that can be used by organisations to keep records of processing activities. The UK Information Commissioner has published helpful guidance on the record-keeping obligation to help controllers and processors understand their responsibilities (accessible here).