Article 30 of the GDPR requires organizations that process personal data to maintain a record of their processing activities. Although this concept may appear new to organizations outside of the European Union (EU), for organizations established and operating in the EU, a requirement of the EU Data Protection Directive 95/46/EC was to notify and register processing activities with local Data Processing Authorities (DPA).
Article 30 has replaced this requirement, however. Instead of notifying and registering the processing activities with local DPAs, it requires that organizations maintain an internal record of processing activities and to have it readily available, in case a supervisory authority requests to review those records.
Why Is Article 30 of the GDPR so important?
While the process of maintaining such records may seem challenging, unless an organization can determine what type of personal data it processes, where that data is stored and how such data moves through and out of the organization, it will be impossible to comply with the letter and spirit of the GDPR. The information you gather while preparing your record of data processing activities becomes your guiding light for complying with the core articles of the GDPR, for example, Article 6: the requirement of establishing a lawful basis for processing, Article 7: conditions and requirements for obtaining consent, and Article 13’s requirement to disclose the details of your processing in privacy notices.
It is, therefore, in the best interest of GDPR-regulated organizations to undertake an inventory and analysis of the data they process. Knowing the data that you process and why, will assist you in identifying the gaps in your GDPR compliance program, and will pave the way for compliance with many of the GDPR’s requirements.
What Should Data Controllers Include in their Record of Processing Activities?
Data controllers and data processors each have their own separate set of obligations under Article 30 of the GDPR. This section of the article only discusses the obligations of the data controllers. For more information on the specific obligations of a data processor, please refer to Article 30(2) of the GDPR.
According to Article 30(1) of the GDPR, at minimum, the record of processing, in respect to data controllers, should include:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative in the European Union (VeraSafe can serve as your Representative in the European Union, as required by Article 27 of the GDPR) and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organizational security measures referred to in Article 32(1).
Exemptions from Article 30
Contrary to popular belief, the obligations under Article 30 apply to every organization regulated by the GDPR, unless all the following criteria apply to the organization simultaneously:
- the processing is occasional (e.g., the data is never stored for longer than a very short duration); and
- the processing it carries out is not likely to result in a risk to the rights and freedoms of data subjects; and
- the processing includes no special categories of data, as referred to in Article 9(1), and no personal data relating to criminal convictions and offences referred to in Article 10; and
- the organization employs fewer than 250 employees.
It is important to note that, the concept of “large scale” is not well-defined in the law. It is actually very vague, and not a comfortable basis for claiming an exception from Article 30, except in rare cases. Note that the storage of personal data is also a type of “processing”. Therefore, even just storing data over time makes this exemption inapplicable.
Furthermore, for an organization to determine whether or not its data processing activities present a risk to the rights and freedoms of data subjects, the opinion of the organization’s impartial Data Protection Officer must be heavily weighed.
How Can VeraSafe Help?
VeraSafe can assist you with identifying the precise extent of the GDPR’s applicability to your organization and provide expert support to operationalize complex obligations, such as those under Article 30. To learn more about VeraSafe’s Privacy Program, the EU-U.S. Privacy Shield, and the GDPR, contact one of VeraSafe’s privacy experts today for a free EU data protection consultation.