First of all, thank you for reading my post! This means that you are interested in hearing about the EU's General Data Protection Regulation (GDPR).
My name is Zoltán Balázs Kovács and I am a Hungarian lawyer with a strong focus on data protection law. Since the passing of the GDPR, and especially in the last few months, more and more entities have expressed their interest in learning about the new regime and the preparation for the same. My aim with this blog is to provide a summary of the most important rules of the GDPR in a Q&A format and to help entities prepare for the new rules.
Following an introduction, this post addresses the rules concerning the scope of the GDPR and the records of data processing activities by way of posing and answering questions.
When it comes to preparing for a new legal regime, entities often face difficulties due to various issues and questions which arise in connection with the wording of the new law. The situation with the GDPR is no different to this. The text of the regulation contains a number of grey zones, as also admitted by the Article 29 Data Protection Working Party (WP29), the EU's competent body in charge of issuing, for example, opinions and guidelines on various data protection issues.
Since the entry into force of the GDPR (i.e. on 25 May 2016), the WP29 has issued a number of guidelines aiming to assist entities with the preparation for the new set of rules the GDPR will bring about from 25 May 2018, i.e. the date from which the GDPR will be applied.
The purpose of this blog is to give those interested a view of the new rules and a brief summary of the most important "to-dos". Since the fine imposed by the competent data protection authority on a non-compliant entity can reach EUR 20 million or 4% of the total worldwide annual turnover of the undertakings in the preceding financial year (whichever is higher), it is certainly advisable to make every effort to comply with the rules.
Preparing for the GDPR first requires a new mindset due to the principle of accountability (as referred to in Article 5(2)). Under this principle, the controller is not only responsible for data processing but must, at the same time, be able to demonstrate compliance with the requirements. It can be well assumed that the principle also applies to processors. Demonstration of compliance can take place by documenting every step the controller or the processor takes or does not take. For example, if, based on Article 37 of the GDPR, the controller or the processor comes to the conclusion that no data protection officer must be designated, such a decision and the reasons supporting that decision must be documented and, in the event of an authority inspection, the relevant document must be presented.
For the purposes of the GDPR, controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, whereas processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
II The scope of the GDPR
1. Does the GDPR always apply to companies established in the European Union?
Practically, yes. The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not.
2. Does the GDPR apply to companies established outside the European Union?
The GDPR is applicable to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to:
(a) the offering of goods or services (irrespective of whether a payment of the data subject is required, to such data subjects in the European Union); or
(b) the monitoring of their behaviour as far as their behaviour takes place within the European Union (for example, webtracking).
3. Does the GDPR apply to me then?
If, for example, an undertaking is established in the European Union and processes personal data (e.g. it has employees, customers, business partners), the GDPR applies.
Also, if an undertaking is established outside the European Union and offers goods or services for example, online to individuals in the European Union, the GDPR is applicable. If an undertaking is established outside the European Union and tracks or analyzes e.g. online the behaviour of individuals in the European Union, the GDPR applies as far as the behaviour monitored takes place within the European Union.
III Records of processing activities
1. Who has to maintain records of processing activities?
Both controllers and processors are required to maintain records of processing activities (Article 30). As the WP29 emphasizes in its guidelines on Data Protection Officers ("DPOs") adopted on 13 December 2016 and last revised on 5 April 2017,
"the record required to be kept under Article 30 should also be seen as a tool allowing the controller and the supervisory authority, upon request, to have an overview of all the personal data processing activities an organization is carrying out. It is thus a prerequisite for compliance, and as such, an effective accountability measure."
2. How can I prepare the records of processing activities?
When it comes to starting to prepare for the GDPR, a data mapping needs to be performed first, i.e. a registry of data processing activities which may serve as a basis for preparation must be prepared. This means that all purposes for which personal data are processed must be collected and analyzed based on the factors listed by the GDPR (please see response to Question 6 below).
Article 30(1) contains the mandatory elements of the records to be maintained by controllers, whereas Article 30(2) enlists the compulsory elements of the records to be kept by processors (please see response to Question 6 below).
3. In which form do I have to prepare the records of processing activities?
It satisfies the requirements if the records are kept in an electronic form. It is advisable to prepare a table (e.g. an Excel sheet) on the data processing activities in a way that the factors as listed under Question 6 below are all named in the table columns and the table must then be duly filled out.
4. Can the supervisory authority request me to hand over the records of processing activities?
Yes. As per the GDPR, each of the controller and processor is required to make the record available to the supervisory authority upon request. In practice, this would mean that if there is an inspection by the competent data protection authority (DPA) at the controller's / processor’s premises, one of the first requests of the DPA towards the controller / processor will be to hand over the "records of processing activities" so that the DPA can have a view of the processing operations and can proceed with the inspection.
5. Is there an exception to the obligation to keep records of processing activities?
Article 30(5) of the GDPR states that the obligation to maintain such records does not apply to an entity employing fewer than 250 persons unless:
(a) the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects;
(b) the processing is not occasional; or
(c) the processing includes e.g. health, biometric or criminal data (as referred to in Article 9(1) or Article 10).
Entities employing fewer than 250 persons are advised to be more than cautious when – and in fact should avoid – referring to Article 30(5) as an effort to prove that the record keeping obligation is not applicable to them. Why? Firstly, the exception is softly worded and, secondly, as mentioned above, compliance should anyway start with the preparation of the records of processing activities so that the entity can clearly see what data processing activities it carries out and can then take further preparatory steps as necessary.
6. What information must the records of processing activities contain?
In summary, controllers are required to prepare a table of the records of processing activities which must contain:
(a) the name and contact details of the controller (and, where applicable, the joint controller, the controller's representative and the data protection officer);
(b) the purposes of the processing (some typical purposes are (the list is not exhaustive): the processing of employees' data in connection with employment; the operation of surveillance camera(s) at a workplace; the supervision by the employer of the use by its employees of email / laptops / the Internet at the workplace; the operation of a whistle-blowing system; direct marketing; the processing of customers' data; processing in a B2B relationship; running a prize draw; the operation of a web shop; the use of claim asserting companies, etc.);
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
(f) the envisaged time limits for erasure of the different categories of data; and
(g) a general description of the technical and organisational security measures applied to keep the data safe (e.g. the naming of persons in a given position having access to the data; place of storage; level of IT security applied).
It is also advisable to describe the processing activity in a few words and to name the legal basis for each processing (as regards legal basis, Article 6(1) and, if special categories of data (e.g. health, biometric or criminal data) are also processed, Article 9(2) of the GDPR contain the possible legal bases).
Also, processors are required to prepare the records of processing activities, which must contain:
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting (and, where applicable, the name and contact details of the controller's or the processor's representative, and the data protection officer);
(b) the categories of processing carried out on behalf of each controller;
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
(d) a general description of the technical and organisational security measures applied to keep the data safe (e.g. the naming of persons in a given position who have access to the data; place of storage; level of IT security applied).
7. What happens once the records of processing activities are prepared?
Once the controller / processor has a clear picture of the data processing activities it carries out, preparation can and has to commence. It is essential to prepare the records of processing activities properly since this document serves as a basis for preparation.
The records of processing activities must be kept up to date. Nothing the GDPR contains is a one-time exercise. Thus, if there is a change in the data processing activities, such a change must be reflected in the records of the processing activities.
In my next post, I will address the most important issues concerning data protection officers (DPOs). For details, please click here.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary (firstname.lastname@example.org)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.