Article 30 of Gdpr “Records of processing activities” obliges the controller and processor to maintain a records of processing Activities under its responsibility.
Specifically, that record shall contain all of the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subject and the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
- where applicable, transfer of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49 (1), the documentation oh suitable safeguards;
where possible, the envisaged time limits for erasure of the different categories of data;
where possible, a general description of the technical and organizational security measures referred to in Article 32.
It is a macro formality, very important for companies, precondition of a data management complies with the law.
The controller and the processor will have to comply by 24 May 2018, however, the obligations shall not apply enterprise or an organization employing fewer than 250 person unless the:
- processing it carries out is likely to result in a risk to the rights and freedoms of data subjects
- processing is not occasional, or the processing includes special categories of data as referred to in article 9 and to article 10.
|Company with fewer than 250 people||
|Risky processing||Frequency of processing risk
Occasional or not occasional /usual
|Risky processing of special data (Art.9 and Art. 10)||Obbligo tenuta registro|
Therefore, the obligation to maintain records of processing is not applied, when the controller or the processor carry out a risky processing but occasional and the data involved not are included in special categories within the organization with fewer than 250 people.
Unfortunately GDPR does not clarify when a treatment is occasional or when it constitutes aa risk for the rights and freedoms of data subjects and in the absence of official guidelines, directives I consider it appropriate the application of the principle of accountability!
Of course, a guideline would help.