With the GDPR fully enforceable, more and more questions arise regarding the scope of article 30 GDPR. As you might already know, article 30 GDPR imposes the obligation to maintain records of processing activities by both controllers and processors. In this blog post, we will address if and how small and medium-sized enterprises (SMEs) can comply with article 30 GDPR.
One of the purposes of the GDPR is to make sure that organisations are accountable if they are processing personal data of their employees, clients or other data subjects. In order to do so, the GDPR imposes the obligation to maintain records of your processing activities, you may call this a privacy administration or bookkeeping for privacy officers. This administration needs to be done by both the data controller and the data processor.
SMEs are busy preparing to be GDPR-compliance. The Article 29 Working Party (WP29) received a lot of questions regarding the applicability of article 30 GDPR, more specific on the derogation that is laid down in article 30(5) GDPR. In order to provide more clarity for SMEs, the WP29 published a position paper on this topic.
Article 30(5) GDPR – the derogation
Article 30(5) GDPR states article 30(1)(2) GDPR does not apply to organisations with fewer than 250 employees, unless at least one of the following conditions applies:
- The processing is likely to result in a risk to the rights and freedoms of data subjects;
- The processing is not occasional;
- The processing includes special categories of data of personal data relating to criminal convictions and offences.
The processing is likely to result in a risk to the rights and freedoms of data subjects
Please note that the GDPR is not talking about a high risk, just a risk is enough in order to meet this condition. The WP29 adds that keeping records of processing activities enables organisations to assess whether a processing is likely to result in a risk to the rights and freedoms of data subjects.
The processing is not occasional
Every organisation with employees stores some personal data about them in order to fulfil the obligations you have as an employer, such as paying salaries. This kind of processing activity is not occasional and therefore they have to be included in the records of processing activities.
This does not mean that an organisation needs to keep track of all processing activities. They only have to maintain records of the processing activities that fall under the scope of article 30(5) GDPR.
The processing includes special categories of data of personal data relating to criminal convictions and offences
Lastly, processing activities that include the processing of special categories of data (article 9 GDPR) and/or data relating to criminal convictions and offences (article 10 GDPR) need to be included in the overview of processing activities.
The WP29 emphasises that it is unlikely that keeping records of these processing activities will constitute a lot of work for SMEs. Using your privacy administration as the heart of your privacy governance enables your organisation to comply with all the other obligations of the GDPR, such as data protection impact assessments, data breach notification obligations and complying with data subject rights.