Background
Article 30 of the GDPR states
that each controller and processor of a data subject’s personal data shall
maintain a record of processing activities that are its responsibility. It goes
on to set out what should be contained in each of the controller’s and
processor’s records. When used in Article 30.1a-g and 30.2a-d the word ‘record’
does not bear its usual meaning. For the purposes of Article 30 the record is a
statement that must contain the information set out in Article 30.1 for
controllers and Article 30.2 for processors.
Article 30.5 provides an
exemption that allows Smaller Organisations[1]
to avoid Article 30 record keeping obligations provided that the processing is (i)
only occasional; (ii) the processing is not considered a risk to the rights and
freedoms of the data subjects; and (iii) the processing is not of ‘Special
Categories of Data’ (Article 9.1) or personal data relating to criminal
convictions and offences (together, for the purposes of this article ‘Sensitive
Processing[2]‘).
GDPR is clear as to what Sensitive Processing is but what does ‘occasional’
mean? The term is not defined and so far there has been no guidance from the
Article 29 Working Party.
Under the GDPR, ‘personal data’ includes
merely a name or an email address of an individual (Article 4.1), and
processing includes storage of personal data on an electronic system or in a
relevant filing system (Article 4.2). If ‘occasional’ has its literal meaning (occurring,
appearing, or done infrequently and irregularly: OED), it would mean that the
exemption provided for by Article 30.5 would be meaningless. Organisations process
personal data on a daily basis which cannot by any stretch of the imagination
be occasional; for example by holding a list of their employees. Interpreting
Article 30 purposively requires some other meaning as the legislators must have
intended Article 30.5 to have some effect. How can we interpret Article 30.5 so
that ‘day-to-day’ processing would not prevent the exemption from applying to
99.99% of Smaller Organisations? Can we perhaps find an exemption within an
exemption?
The Information Commissioner’s Office
The ICO have provided specific
guidance for Smaller Organisations and the records exemption is mentioned. Two
of the ‘disqualifiers’[3]
(Sensitive Processing) are referred to, but whether or not the data processing
is occasional is ignored entirely. The ICO state that ‘If your organisation has
less than 250 employees you are [only[4]]
required to maintain records of activities related to [Sensitive Processing][5]‘.
Having contacted the ICO helpline and asked them why they have ignored the
disqualifier relating to occasional data processing we were informed that they have
not commented on what ‘occasional’ means because the Article 29 Working Party
is yet to provide guidance on this. The ICO Information Officer said that the Article
29 Working Party is likely to produce an opinion on this in early 2018 and the
ICO will update their guidance thereafter.
The Belgian Privacy Commission
The Belgian Privacy Commission
(their ‘Data Protection Authority’) has provided guidance[6]
on the meaning of ‘occasional’ in this context and their view is that ‘managing client data, employee data and
supplier data’, all data that would be processed daily, could be excluded
from the definition of ‘processing’ for the purpose of this disqualifier. They
go on to say that they recommend that all organisations keep Article 30 records
of their personal data processing, however they will not object if occasional (in
the true sense of the word) processing is not recorded. This suggests that
either they like repeating themselves or, and perhaps this is the point, that
even if the rest of the world does not agree with their interpretation of
Article 30.5 they will not penalise a Smaller Organisation for not recording truly
occasional processing.
If we are to rely on the Belgians’
view the next question is therefore what does ‘managing’ mean in this context?
Our view is that ‘managing’ the above data includes employees’, customers’ and suppliers’
records, placing orders with suppliers, invoicing customers and liaising with
them over progress of work but would not extend to sending marketing emails or
processing personal data in a way that would not be considered normal for the
day-to-day running of the business[7].
If we follow the view of the Belgian Data Protection Authority, organisations
should apply the following thought process.
Without a definition for ‘managing data’, what decides
whether a controller/processor is ‘managing data’ or not ‘managing data’
remains unclear; it is our view that if a Smaller Organisation is unsure, the
data processing should be recorded.
What does this mean for Smaller Organisations?
A literal interpretation of
Article 30.5 suggests there either is or is not an obligation to record all personal
data processing. The Belgians however seem to be saying that it is only data
processing that falls foul of the disqualifiers that needs to be recorded and
that other processing can take advantage of the exemption. This means that
Smaller Organisations will only need to record their Sensitive Processing and
any other processing that is not day-to-day management processing, unless truly
occasional. This means that Smaller Organisations may be relieved of some
record keeping but will still need to keep Article 30 records of some of their
processing. The ICO guidance also suggests that Article 30.5 exempts Smaller
Organisations from recording some categories of processing rather than all
processing.
Our View
This is undoubtedly an example of
how unclear GDPR is and without any specific guidance from the Article 29 Working
Party or the ICO we can only apply a purposive and proportionate approach.
Whilst the recording obligations are somewhat less for Smaller Organisations it
is clear that recording of data processing is a sensible precursor to
compliance with GDPR. In the likely situation that an organisation is unclear
as to whether or not they are obliged to record a specific processing activity
they should err on the side of caution and record the activity. Without
analysing the data flows and identifying whether the data is ‘managing data’ or
whether the processing is ‘occasional’ it would be impossible to know what to
record and, as that process is required for an Article 30 record, it would
appear that Smaller Organisations would need to create a comprehensive record
of all processing so that they can decide, and subsequently justify to the ICO,
what processing they do not need to
record. In other words they will need to produce a record in order to
demonstrate that they have correctly decided what does and does not have to be
recorded!
We await the opinion of the
Article 29 Working Party with bated breath, and will update this article
accordingly.
Gemma Briance and Geoffrey Sturgess are both solicitors in
the commercial and tech team at Warner Goodman, Southampton: GemmaBriance@warnergoodman.co.uk
GeoffreySturgess@warnergoodman.co.uk
[1] ‘Smaller
Organisations’ are, for the purposes of this article, organisations or
enterprises that employ fewer than 250 people.
[2]
For the purposes of this article the term ‘Sensitive Processing’ means
processing considered a risk to the rights and freedoms of the data subjects;
and processing of ‘Special Categories of Data’ or personal data relating to
criminal convictions and offences.
[3]
This term is being used to describe data processing that would prevent the Art.
30 exemption from applying to an organisation; i.e. disqualify the organisation
from relying on the exemption.
[4] Wording
added
[5] https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/
[6] https://www.privacycommission.be/sites/privacycommission/files/documents/recommandation_06_2017_0.pdf
Opinion only published in French and Flemish.
[7]
Note: If the organisation was a marketing company, sending thousands of
marketing emails a day to customers, prospects, or on behalf of an organisation
would undoubtedly not be included in the definition of ‘managing data for the
day to day running of the business’.