On April 19, 2018, the Article 29 Working Party (Working Party), which is comprised of representatives from the data protection authorities in each of the 28 European Union (EU) member states, issued a position paper stating that all employers of EU employees are required to prepare and maintain records of processing activities relating to human resources data pursuant to Article 30 of the General Data Protection Regulation (GDPR).
Article 30 of the GDPR provides that each data controller must maintain a record of processing activities that contains all of the following information:
- the name and contact details of the controller (typically, the EU employer entity) and any joint controllers (typically the parent company of the EU employer entity), as well as the name and contact details of the employer’s data protection officer (DPO) or EU representative;
- the purpose of the processing;
- a description of the categories of data subjects (i.e., applicants, employees, and former employees) and the categories of personal data;
- the categories of recipients to whom the personal data has been or will be disclosed including recipients in third countries (i.e., countries outside the EU which do not have laws providing adequate protection for data) or international organizations;
- where the personal data is transferred to a third country or international organization, the identity of the third country or international organization and the legal mechanism used for such data transfers (such as the EU-U.S. Privacy Shield or standard contract clauses);
- the envisaged time limits for storage and erasure of the different categories of data; and
- a general description of the technical and organizational security measures for such data.
Article 30 also provides that organizations employing fewer than 250 employees are not required to maintain this record of processing unless (1) the processing of the personal data is likely to result in a risk to the rights and freedoms of data subjects; (2) the processing is not occasional; or (3) the processing involves special categories of personal data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation, and data concerning criminal convictions and offenses.
In its position statement, the Working Party specifically stated that a small organization is likely to regularly process data regarding its employees: “As a result, such processing cannot be considered ‘occasional’ and must therefore be included in the record of processing activities.”
Key Takeaways for Employers
Many companies employing fewer than 250 employees in the EU have been under the assumption that they would be exempt from the Article 30 record of processing requirement so long as they avoided processing special categories of data. However, the Working Party has made it clear that all employers of EU employees, regardless of size, must maintain the Article 30 record of processing for human resources (HR) data. This is significant because, as we reported in our article of April 4, 2018, EU regulators have announced that they will focus their enforcement activities on several key areas of the GDPR, including compliance with the Article 30 record of processing requirement. Consequently, employers should take the following steps prior to the May 25, 2018, GDPR effective date:
- Determine the types of HR data processed, the purposes of the processing, the recipients of such data (including third-party vendors), the data retention periods for each type of HR data processed, whether such data is transferred outside the EU and the legal mechanism for such transfer, and the security measures used to protect the data.
- Determine the EU country-specific requirements for processing HR data. For example, each EU country has different data retention requirements for specific types of HR data.
- Prepare the Article 30 record of processing for HR data by May 25, 2018, so that the company can present the record to applicable EU regulators upon request.