Today (24 May 2018) is the last day for adjusting business operations to comply with the new requirements of the General Data Protection Regulation. The Article 29 Data Protection Working Party takes the view that under the GDPR, practically all employers must maintain a record of processing activities with respect to their employees’ data.
What is a record of processing activities?
The GDPR requires data controllers to maintain a record of processing activities. The record functions as a ledger where the data controller maintains information on whose data it processes (categories of data subjects), the categories of data it processes, the purpose for which it processes the data, whom the data are disclosed to (categories of recipients), whether it transfers the data to third countries, how long the data are stored, and how the data are secured. A similar obligation is imposed on data processors (entities commissioned by the data controller to process personal data), although the scope of information in the data processor’s record is somewhat different.
What does the GDPR say about the duty to maintain a record?
Recital 13 and Art. 30(5) GDPR provide that this record-keeping obligation does not apply to an enterprise or organisation employing fewer than 250 persons unless:
- The processing it carries out is likely to result in a risk to the rights and freedoms of data subjects
- The processing is not occasional, or
- The processing includes special categories of personal data (e.g. concerning health, political views etc) or personal data relating to criminal convictions and offences.
These provisions have raised practical doubts, but the exceptions suggest that enterprises employing fewer than 250 people and mainly processing the data of their own employees are not required to maintain such a record, because such processing would be occasional and thus subject to one of the exceptions.
What does the Article 29 Working Party think?
Considering this issue, the WP29 relied on a literal interpretation of the GDPR and concluded that the exceptions to the general rule (only employers of at least 250 people must maintain a record) should be read in the alternative, that is, failure to meet any one of the three exceptions means the enterprise is required to maintain a record of processing activities.
The group found that even small organisations are likely to regularly—not occasionally—process data regarding their employees. Thus the exception above for occasional processing is not met, and in practice even small employers will have to maintain a record of data processing activities.
However, the WP29 also took the view that the duty to maintain a record will apply only to the categories of data not covered by the given exception, i.e. data concerning the organisation’s own employees.
What should employers do?
Employers should thus establish a record of data processing activity concerning their employees. The record must be updated on an ongoing basis as the employer undertakes new operations on the employees’ data.
Small enterprises should also consider whether they are covered by the other exceptions provided for in the GDPR. If in addition to their own employees’ data they also process, for example, information concerning criminal convictions and offences, or the processing poses a threat to the rights and freedoms of other data subjects, then the record should cover data operations in those other areas as well.
Jarosław Karlikowski, legal adviser, Employment practice, Wardyński & Partners