The data protection basic regulation obligates, as per Art. 30 of the GDPR, written documentation and overview of procedures by which personal data are processed. Records of processing activities must include significant information about data processing, including data categories, the group of impacted people, the purpose of the processing and the data receivers. This must be completely provided to authorities upon request.
The obligation to create records of processing activities is not only incumbent upon persons responsible and their representative, but also directly on processing employees and their representatives as in Art. 30(2) of the GDPR. Companies or institutions with fewer than 250 employees are exceptionally freed from creating an index if the processing undertaken does not pose a risk to the rights and freedoms of those concerned, if no processing of special data categories is done, or if the processing is done only occasionally as it is indicated in Art. 30(5) GDPR. In practice, this waiver is rarely applicable. Apart from any difficulties which occur in designing what is “only occasional,” most companies – even with a broad interpretation of the term – must clearly create regular data processing procedures, including for the website, their web shop, salary calculation or CRM systems. Above all, companies which have had no procedural index, will be subject to additional bureaucratic expense. Thus, one must note that the obligation for documentation and therefore records of processing activities will be a focus of authorities’ inspections within the data protection basic regulation.
If a company does not maintain records of processing activities and/or does not provide a complete index to authorities, they are subject to fines according to Art. 83(4)(a) of the GDPR. The possible fines can be up to 10 million euros or 2% of their annual turnover. This total is, as a rule, only assessed by the authorities in exceptional cases. For this, the authorities must, as set forth in recital 13, “consider the special needs of the smallest companies as well as small and medium companies in the application of this regulation.”