Exemption from the obligation to maintain records

Under the Art. 30 Sec. 1 GDPR, the controller and processor, or their representatives when applicable, shall maintain a record of the processing activities under its responsibility. The Art. 30 GDPR sets up a list of elements that should be present in data processing’s records. Those elements slightly differ between controllers (art. 30 sec. 1 GDPR) and processors (Art. 30 Sec. 2 GDPR). As stated by Art. 30 Sec. 3 GDPR, the records shall be maintained in writing, including in electronic form. This requirement serves four different purposes: it increases the transparency in data processing activities; it permits the adequate monitoring of the processing operations; it proves compliance with the GDPR; and it helps to fulfill the information requests from data subjects, when they exercise their rights under GDPR. As it is known, if any infringement of this obligation takes place, the controller shall be subjected to administrative fines up to 10,000,000 EUR or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher (see Art. 83 Sec. 4 GDPR).

In order to avoid these fines and for compliance purposes, it may be required that controllers incur additional expenditures. For example, it may be necessary to contract another employee or buy a specialized software that can help the controller fulfill its obligation. However, if this seems quite a reasonable obligation for the larger companies, we must acknowledge this obligation could be a heavy burden for smalls companies, which may not have enough human resources to fulfill it. In this respect, the Art. 30 Sec. 5 GDPR provides an exemption that benefits micro-, small-, and medium-sized companies. According to the aforementioned article, the obligation to maintain records of data processing shall not apply to an enterprise or an organization employing fewer than 250 persons. This exemption presumes that micro-, small-, and medium-sized companies have a residual data processing volume, which is often limited to the processing of tax information.

Nevertheless, this exemption will not apply if the data processing carried out by controllers is likely to result in a risk to the rights and freedoms of data subjects; if the processing is not occasional; or if the processing includes special categories of data, as referred to in the Art. 9 Sec. 1 GPDR; or personal data relating to criminal convictions and offenses, referred to in Art. 10 GDPR. This may be the case of small health clinics, dentists’ offices, etc., where data processing involves information on the health status of the subjects. This is also the case for market research and business intelligence companies. For example: ABC is a small market research company that intends to carry out a survey, in order to anticipate the outcome of a referendum. ABC contacts 3,000 people to conduct this survey, which includes a series of questions about their preferences on particular social and political issues. Although the company has fewer than 250 employees, the exception is not applicable to them because it requires the process of a special category of data (such as political opinions, or philosophical beliefs) and the data processing is not occasional, but part of ABC’s business purpose. In the case of ABC, it is mandatory to maintain data processing’s records, as it is fixed by Art. 30 Sec. 1 and 2 GDPR.

In this context, the question remains of whether this exception is applicable when two or more controllers act together in the sense given by Art. 26 GDPR (joint controllers). In such a case, it is useful to draw two distinct scenarios to understand this issue. In the first scenario, let us imagine that AB (a big company) and CD (a small company) are joint controllers. In normal circumstances, this exception only benefits the latest. Does CD have to maintain data processing records in the same way that AB is obligated to? In my opinion, CD is now obligated to maintain data processing records because, regardless of the type of data that will be processed, it is not possible to assert that the data processing is occasional. On the contrary, the joint controllers’ regime presupposes that data processing will occur and that is why it requires clear allocation of responsibilities for each company, as it becomes obvious that data processing is no longer occasional.

The same question arises when two or more entities, both of which are covered by the exception, become joint controllers. Let us suppose that A, B, C and D are small companies that became joint controllers. It would be possible to argue that, if none of them are obliged to maintain data processing records, the exception in Art. 30 Sec. 5 GDPR should continue to apply. However, once again, it must be observed that the joint controllers’ regime assumes a change of circumstances. In this context, it is not reasonable to assume that data processing will remain occasional. Furthermore, because the risk of data breach increases when two or more entities act together as joint controllers, is highly advised to take some precautions and maintain data processing records that could lead to a tighter control of data processing. Finally, joint controllers must fulfill the obligation in Art. 30 Sec. 1 and 2 GDPR, in order to prove compliance with GDPR and to avoid the fines set by Art. 83 Sec. 4 GDPR.