In its Position Paper the Article 29 WP provides us with clarification with respect to the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR.
The Article 29 WP’s position on the derogation from this obligation, specifying that the derogation provided by Article 30(5) is not absolute and that in fact, the article does not apply to three types of processing, namely:
- When processing is likely to put the rights and freedoms of data subjects at risk;
- When processing is not occasional; and
- For processing that includes special categories of data or personal data relating to criminal convictions and offences.
Any of the above-mentioned cases provides for the obligation to maintain the record of processing activities. Such records, however, must be maintained only for the types of processing mentioned by Article 30(5).
As the Article 29 WP points out, the record of processing activities is beneficial for the analysis of implications of processing, both planned and existing, insofar as it allows for a factual assessment of the risk of processing (by both processors and controllers) for individual rights and therefore may facilitate “the identification and implementation of appropriate security measures to safeguard personal data – both key components of the principle of accountability contained in the GDPR.”