The General Data Protection Regulation obligates, as per Art. 30 of the GDPR, written documentation and overview of procedures by which personal data are processed. Records of processing activities must include significant information about data processing, including data categories, the group of data subjects, the purpose of the processing and the data recipients. This must be completely made available to authorities upon request.
The obligation to create records of processing activities is not only imposed on the controller and their representative, but also directly on the processor and their representatives as set forth in Art. 30(2) of the GDPR. For a change, companies or institutions with fewer than 250 employees are exempt from keeping a record, if the processing is not likely to pose a risk to the rights and freedoms of the data subject, if no special categories of data are processed or if the processing is done only occasionally, as is indicated in Art. 30(5) GDPR. In practice, this exemption is rarely applicable. Apart from any difficulties which occur during the interpretation of what is considered “only occasional,” in most companies – even with a broad interpretation of the term – data will unambiguously be processed regularly, including data processing for the website, their web shop, salary calculation or CRM systems. One must note that the obligation for documentation and therefore records of processing activities will be a focus of authorities’ inspections of the implementation of the Data Protection Regulation.
If a company does not maintain records of processing activities and/or does not provide a complete index to authorities, they are subject to fines according to Art. 83(4)(a) of the GDPR. The possible fines can be up to 10 million euros or 2% of their annual turnover. This total is, as a rule, only assessed by the authorities in exceptional cases. For this, the authorities are encouraged, as set forth in recital 13, “to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.”
Suitable GDPR articlesArt. 5 GDPR Principles relating to processing of personal data Art. 30 GDPR Records of processing activities
Suitable Recitals(13) Taking Account of Micro, Small and Medium-Sized Enterprises (82) Record of Processing Activities
- Data Protection Authority UK ► Documentation (Link)
- Data Protection Authority Luxembourg ► Data Protection Basics: The obligations of controllers and processors – 2. Record of processing activities, Page 5 (Link)