On April 19, 2018, the statutorily-appointed independent EU advisory body known as the Article 29 Working Party (“WP29”) published a Position Paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30 (5) GDPR (“Position Paper”).  Regulation (EU) 2016/679, known as the General Data Protection Regulation (“GDPR”), will become effective on May 25 in all 28 EU Member States. Under GDPR, each company processing personal data is obliged to maintain a record of processing activities.

The record shall contain information on, amongst others, the company’s contact details, the purposes of the processing, the categories of data subjects and personal data, as well as the categories of recipients to whom the personal data are disclosed (Art. 30 (1) and (2) GDPR). These records of processing activities have to be in writing and shall be made available to the supervisory authority on request (Art. 30 (3) and (4) GDPR).

The obligation to maintain such a record of processing activities doesnot apply, however,  to micro, small and medium-sized enterprises with fewer than 250 employees, unless (i) the processing is likely to result in a risk to the rights and freedoms of data subjects; or (ii) the processing is not occasional; or (iii) the processing includes special categories of data (such as religious belief, health data, genetic data, etc.) or personal data relating to criminal convictions and offences (Art 30 (5) GDPR). With its recent Position Paper, the WP29 provides a helpful interpretation of these derogating provisions and provides its opinion as to when companies are not required to maintain a record of processing activities.

The WP29 underlines that the wording of Article 30 (5) GDPR clearly provides that the derogation from the obligation to maintain a record of processing activities are alternative and, therefore, that the occurrence of any one of them alone triggers the obligation to maintain the record of processing activities for this specific type of processing. The WP29 further considers that a processing activity can only be considered as “occasional” in the meaning of Art. 30(5) if it is not carried out regularly and occurs outside the regular course of business or activity of the company. Where a small company, for example, regularly processes data regarding its employees, such processing is not considered as occasional and must therefore be included in the record of processing activities. The same should apply with view to customer management and accounting.

In practice this interpretation leads to the result that the majority of micro, small and medium-sized companies will not be able to rely on the derogations from the obligation to maintain records of processing activities and will be obliged to present such records to the supervising authorities when requested. It remains to be seen, whether the authorities and courts will uphold this strict interpretation.