GDPR compliance guide for online businesses outside of the European Union (Part 3 of 5)
Recording your processing activities is the foundation of a comprehensive privacy compliance program. We clarify GDPR's Article 30 and provide you with the templates you need to comply.
In this article, you will find templates you can use to comply with the General Data Protection Regulation (GDPR)'s Article 30 requirement to record your processing activities. I have provided context to the cross-references of Article 30, which should clarify most of your questions about creating your records and assessing whether your processing complies with the GDPR. If any questions remain, you can write to me or schedule time to discuss your specific situation in more detail.
This article is Part 3 of 5 in our series to provide a comprehensive guide for online businesses outside of the European Union to comply with the GDPR.
Recording your processing activities serves as the foundation of your GDPR compliance plan. Every data controller and processor should know what data they collect, from whom they collect it, and their purpose for doing so. These records can then serve as the basis to evaluate your adherence to GDPR's data protection principles and other requirements. It's also information you will be required to provide data subjects should they request to access the data you have collected from them, and it's important you have a plan in place to respond to requests in a consistent manner.
In addition to requiring you to maintain these records, the GDPR requires that your EU representative also retain a copy and make it available to supervisory authorities upon request. Keeping your record of processing activities (ROPA) up-to-date with your EU representative will help keep both of you out of trouble. If you don't have an EU representative, we offer an instant solution to appoint your EU representative.
Records of processing activities (Article 30)
Article 30(1): Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
You need to provide contact information for various roles and responsibilities. Doing so helps a regulator know who to ask what questions in the event of an inquiry.
Article 30(1)a: the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
The remainder of the requirements in Article 30(1)b-g should be treated as components to document for each data processing activity, as opposed to bulleted lists per each subparagraph. Refer to examples provided by the UK Information Commissioner's Office.
Article 30(1)b: the purposes of the processing;
Article 30(1)c: a description of the categories of data subjects and of the categories of personal data;
Article 30(1)d: the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
Article 30(1)e: where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
Article 49(1): In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
Article 49(3): Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.
(d) the transfer is necessary for important reasons of public interest;
Article 49(4): The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the controller is subject.
(e) the transfer is necessary for the establishment, exercise or defence of legal claims;
(f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
Article 49(2): A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.
Article 45(3): The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).
Article 49(5): In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify such provisions to the Commission.
Adequacy decisions by the European Commission can be accessed here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
As of the time of publication of this article, the European Commission has so far recognized Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection.
Adequacy talks are ongoing with South Korea.
Article 49(6): The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.
Article 30(1)f: where possible, the envisaged time limits for erasure of the different categories of data;
Article 30(1)g: where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
Article 32(1)a: the pseudonymisation and encryption of personal data;
Article 32(1)b: the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
Article 32(1)c: the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
Article 32(1)d: a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
What Article 30(1) establishes for a data controller, Article 30(2) establishes for a data processor. In general, every business is at least a data controller as it necessarily determines "the purposes and means of the processing of personal data" to carry out its activities. If your product or service is then processing personal data on behalf of your clients (controllers), you are also considered a data processor and have additional requirements to fulfill when it comes to recordkeeping.
In the case of a data processor, there is no requirement to detail the processing activities of each controller in the ROPA. Instead, you would include these details in the contract between you (the processor) and your customer (the controller). Refer to the UK Information Commissioner's Office's guidance on contracts.
With this contract in place, you would include the categories of processing carried out on behalf of each controller instead of the processing purpose, data categories, and data subject categories.
Article 30(2)b: the categories of processing carried out on behalf of each controller;
You can refer to additional guidance by the Information Commissioner's Office in the United Kingdom and Commission nationale de l'informatique et des libertés in France, which include further clarifications and downloadable templates that demonstrate their expectations of the level of detail in your ROPA.
It's also important to highlight an ambiguous exemption, which provides an exemption from the ROPA requirement if you employ fewer than 250 persons, and you only occasionally process general categories of personal data.
Article 30(5): The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
Based on guidance by the Article 29 Working Party (WP29), the predecessor to the European Data Protection Board (in reference to Article 29 of GDPR's predecessor, the Data Protection Directive, and not Article 29 of the GDPR), it is difficult for any website or app running analytics tools to argue their process is occasional as opposed to "regular and systematic."
WP29 interprets ‘regular’ as meaning one or more of the following:
Ongoing or occurring at particular intervals for a particular period
Recurring or repeated at fixed times
Constantly or periodically taking place
WP29 interprets ‘systematic’ as meaning one or more of the following:
Occurring according to a system
Pre-arranged, organised or methodical
Taking place as part of a general plan for data collection
Carried out as part of a strategy
You have documentation to defend yourself if you are not compliant. As with any regulation, GDPR is open to some interpretation. If you and your regulator disagree on your compliance in the future, supporting documentation for your decisions will be your best defense. When you're completing your ROPA, you will also be documenting how your processing complies with the GDPR. If you have nothing, you'll appear negligent.
One of your obligations to your EU representative is to provide a copy of your ROPA so they can fulfill their duties to you. I hope you can see how unfulfilled obligations would be an unnecessary complication when you need to be in lockstep with your EU representative to field regulatory inquiries.
You need to be consistent with your responses to data subject requests. When you receive requests from data subjects regarding how you process their data, you will need to be complete and consistent in how you respond. It's a time-sensitive process, and the entire premise of GDPR is to protect individuals' rights to their data, so a failure here is significant exposure to your business. What started with the GDPR is going to continue with the California Consumer Privacy Act (CCPA), which will start being enforced on July 1, 2020, until these requests are an ordinary part of doing business online. Knowing what data you collect from whom, your purpose, and your legal basis for doing so will go a long way in turning a stressful exercise into a routine process.
While I've written this article to be as helpful as possible, it cannot and does not contain legal advice. The legal information is provided for general informational and educational purposes only and is not a substitute for professional advice. Accordingly, before taking any actions based upon such information, I encourage you to consult with the appropriate professionals. We do not provide any kind of legal advice. The use or reliance of any information contained on this site is solely at your own risk.
If you require legal assistance, I am happy to refer you to an attorney specializing in privacy laws and regulations.