Record of the processing activities: semplification for SME

By | Wednesday May 9th, 2018

At the AssoDPO Congress, Luigi Montuori (Authority’s office), talking about the most recent WP29’s activities, cited a recent “position paper” on the exemption from the Records of processing activities.

I remind that article 30(5) states: “The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9, paragraph 1, or personal data relating to criminal convictions and offences referred to in Article 10”.

The WP29 emphasises that the exemption does not apply to the three cases listed in the Article (a risk to the rights and persons, a not occasional processing or sensitive/judicial data), but the SMEs are required to register in Records ONLY those three kinds of processing activities:

“However, such organisations need only maintain records of processing activities for the types of processing mentioned by Article 30(5). For example, a small organisation is likely to regularly process data regarding its employees. As a result, such processing cannot be considered “occasional” and must therefore be included in the record of processing activities. Other processing activities which are in fact “occasional”, however, do not need to be included in the record of processing activities, provided they are unlikely to result in a risk to the right and freedoms of data subjects and do not involve special categories of data or personal data relating to criminal convictions and offences”.

A small client (or a small subsidiary, maybe foreign) could have heard of the exemption, therefore we should decide whether to apply the restriction proposed by the WP29 or to abound. Personally, I stand by the opinion that we can’t do data protection without knowing what kinds of data are processed; we should, therefore, have a complete Record of activities. Yesterday, at the AssoDPO Congress, Colonel Marco Menegazzo (Head of the Privacy Unit of the Guardia di Finanza) confirmed about inspection activities: “First we will ask to speak with the DPO, secondly to see the Record of processing activities”.
Translated by Matilde Bobbio

Leave a Reply