Our Insights


Working Party Confirms That Employers of All Sizes Must Maintain Article 30 Records of Processing for Human Resources Data

Authors: Grant D. Petersen (Tampa), Simon J. McMenemy (London), Hendrik Muschal (Berlin), Danielle Vanderzanden (Boston), Stephen A. Riga (Indianapolis)

Published Date: May 9, 2018

On April 19, 2018, the Article 29 Working Party (Working Party), which is comprised of representatives from the data protection authorities in each of the 28 European Union (EU) member states, issued a position paper stating that all employers of EU employees are required to prepare and maintain records of processing activities relating to human resources data pursuant to Article 30 of the General Data Protection Regulation (GDPR).

Article 30 of the GDPR provides that each data controller must maintain a record of processing activities that contains all of the following information:

  • the name and contact details of the controller (typically, the EU employer entity) and any joint controllers (typically the parent company of the EU employer entity), as well as the name and contact details of the employer’s data protection officer (DPO) or EU representative;
  • the purpose of the processing;
  • a description of the categories of data subjects (i.e., applicants, employees, and former employees) and the categories of personal data;
  • the categories of recipients to whom the personal data has been or will be disclosed including recipients in third countries (i.e., countries outside the EU which do not have laws providing adequate protection for data) or international organizations;
  • where the personal data is transferred to a third country or international organization, the identity of the third country or international organization and the legal mechanism used for such data transfers (such as the EU-U.S. Privacy Shield or standard contract clauses);
  • the envisaged time limits for storage and erasure of the different categories of data; and
  • a general description of the technical and organizational security measures for such data.

Article 30 also provides that organizations employing fewer than 250 employees are not required to maintain this record of processing unless (1) the processing of the personal data is likely to result in a risk to the rights and freedoms of data subjects; (2) the processing is not occasional; or (3) the processing involves special categories of personal data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation, and data concerning criminal convictions and offenses.

In its position statement, the Working Party specifically stated that a small organization is likely to regularly process data regarding its employees: “As a result, such processing cannot be considered ‘occasional’ and must therefore be included in the record of processing activities.”

Key Takeaways for Employers

Many companies employing fewer than 250 employees in the EU have been under the assumption that they would be exempt from the Article 30 record of processing requirement so long as they avoided processing special categories of data. However, the Working Party has made it clear that all employers of EU employees, regardless of size, must maintain the Article 30 record of processing for human resources (HR) data. This is significant because, as we reported in our article of April 4, 2018, EU regulators have announced that they will focus their enforcement activities on several key areas of the GDPR, including compliance with the Article 30 record of processing requirement. Consequently, employers should take the following steps prior to the May 25, 2018, GDPR effective date:

  1. Determine the types of HR data processed, the purposes of the processing, the recipients of such data (including third-party vendors), the data retention periods for each type of HR data processed, whether such data is transferred outside the EU and the legal mechanism for such transfer, and the security measures used to protect the data.

  2. Determine the EU country-specific requirements for processing HR data. For example, each EU country has different data retention requirements for specific types of HR data.

  3. Prepare the Article 30 record of processing for HR data by May 25, 2018, so that the company can present the record to applicable EU regulators upon request.

Grant D. Petersen  (Tampa)

Grant D. Petersen
Mr. Petersen represents and counsels employers in a broad range of U.S. and international labor and employment laws, U.S. and global data privacy and data protection laws, and the Foreign Corrupt Practices Act and other international anti-corruption laws. He is the founder of the firm’s Data Privacy Practice Group and co-founder of the firm’s International Practice Group. Mr. Petersen has advised many clients regarding the impact of global data privacy laws in the workplace, the...

Simon J. McMenemy  (London)

Simon J. McMenemy
Simon is an experienced employment and data privacy law practitioner. He was called to the Bar in 1995, and subsequently qualified as a solicitor while working in the employment and incentives team of a major global law firm. He has advised on the employment aspects of many major international and multi-jurisdictional mergers and acquisitions. He also has a wide range of experience in advising companies on change management, particularly in relation to acquired rights, pensions and benefits....

Hendrik Muschal  (Berlin)

Hendrik Muschal
Hendrik Muschal is a partner in Ogletree Deakins’ Berlin office. As an acknowledged and experienced expert, he advises numerous German and international clients on all aspects of individual employment law, collective employment law in both the private and public sector, international employment law and criminal labor law. One of the focal points of Hendrik’s work regarding global HR management is innovative personnel cost optimization and data protection. As an expert in data...

Danielle Vanderzanden  (Boston)

Danielle Vanderzanden
Ms. Vanderzanden is a Shareholder in the Boston and Portland (ME) offices, and Co-Chair of the firm’s Data Privacy Practice Group. She specializes in the areas of privacy, restrictive covenant, wage and hour, discrimination and labor and employment litigation and counseling. She devotes her practice to helping employers with employment-related disputes, conducting investigations and providing counsel to clients seeking to reduce their potential for liability to their employees and third...

Stephen A. Riga  (Indianapolis)

Stephen A. Riga
Mr. Riga concentrates his practice in the area of employee benefits and privacy and security issues. Mr. Riga's benefits practice includes work with funds and employers to design, maintain, merge and terminate qualified retirement plans and health and welfare plans. Mr. Riga prepares determination letters and voluntary compliance program submissions and assists employers and funds on COBRA, Medicare Part D, and HIPAA compliance. Mr. Riga evaluates contribution and withdrawal liability...