EDPB: Posi­ti­on Paper on Art. 30 (5) GDPR (SME Exemption)

The Euro­pean Data Pro­tec­tion Board (EDSA, Eng­lish EDPB), the suc­ces­sor body to the Artic­le 29 Working Par­ty, issued on April 19, 2018, a Posi­ti­on paper on Art. 30 Par. 5 GDPR published. This con­cerns the SME exemp­ti­on from the obli­ga­ti­on to keep a regi­ster of pro­ce­s­sing activities:

(5) The obli­ga­ti­ons refer­red to in para­graphs (1) and (2) shall not app­ly to com­pa­nies or insti­tu­ti­ons that less than 250 employees employ, pro­vi­ded that the pro­ce­s­sing car­ri­ed out by them not a risk for the rights and free­doms of data sub­jects, the pro­ce­s­sing not only occa­sio­nal­ly occurs or not the pro­ce­s­sing of spe­cial cate­go­ries of data refer­red to in Artic­le 9(1) or the pro­ce­s­sing of per­so­nal data rela­ting to cri­mi­nal con­vic­tions and offen­ces refer­red to in Artic­le 10.

The EDSA sta­tes in this regard:

• The coun­ter­ex­cep­ti­ons – i.e., the three facts for which the excep­ti­on for SME are to be under­s­tood alter­na­tively; it is the­r­e­fo­re suf­fi­ci­ent that only one of the­se tabs is ful­fil­led in order for the excep­ti­on to cea­se to apply.
• Inso­far as a coun­ter-excep­ti­on applies, the obli­ga­ti­on to main­tain the pro­ce­s­sing direc­to­ry ari­ses, howe­ver, only for tho­se pro­ce­s­sing acti­vi­ties to which the coun­ter-excep­ti­on applies (e.g. a SME pro­ce­s­ses employee and occa­sio­nal­ly inno­cuous end-user data; employee data is not pro­ce­s­sed only occa­sio­nal­ly, so a record must be kept for this pro­ce­s­sing, but not for end-user data).