At the AssoDPO Congress, Luigi Montuori (Authority’s office), talking about the most recent WP29’s activities, cited a recent “position paper” on the exemption from the Records of processing activities.
I remind that article 30(5) states: “The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9, paragraph 1, or personal data relating to criminal convictions and offences referred to in Article 10”.
The WP29 emphasises that the exemption does not apply to the three cases listed in the Article (a risk to the rights and persons, a not occasional processing or sensitive/judicial data), but the SMEs are required to register in Records ONLY those three kinds of processing activities:
“However, such organisations need only maintain records of processing activities for the types of processing mentioned by Article 30(5). For example, a small organisation is likely to regularly process data regarding its employees. As a result, such processing cannot be considered “occasional” and must therefore be included in the record of processing activities. Other processing activities which are in fact “occasional”, however, do not need to be included in the record of processing activities, provided they are unlikely to result in a risk to the right and freedoms of data subjects and do not involve special categories of data or personal data relating to criminal convictions and offences”.