The European Data Protection Board (EDSA, English EDPB), the successor body to the Article 29 Working Party, issued on April 19, 2018, a Position paper on Art. 30 Par. 5 GDPR published. This concerns the SME exemption from the obligation to keep a register of processing activities:
(5) The obligations referred to in paragraphs (1) and (2) shall not apply to companies or institutions that less than 250 employees employ, provided that the processing carried out by them not a risk for the rights and freedoms of data subjects, the processing not only occasionally occurs or not the processing of special categories of data referred to in Article 9(1) or the processing of personal data relating to criminal convictions and offences referred to in Article 10.
The EDSA states in this regard:
- The counterexceptions – i.e., the three facts for which the exception for SME are to be understood alternatively; it is therefore sufficient that only one of these tabs is fulfilled in order for the exception to cease to apply.
- Insofar as a counter-exception applies, the obligation to maintain the processing directory arises, however, only for those processing activities to which the counter-exception applies (e.g. a SME processes employee and occasionally innocuous end-user data; employee data is not processed only occasionally, so a record must be kept for this processing, but not for end-user data).