Skip to main content
  • Areas
  • Offices
  • Team
  • Talent
Site: English

Garrigues

ELIGE TU PAÍS / ESCOLHA O SEU PAIS / CHOOSE YOUR COUNTRY / WYBIERZ SWÓJ KRAJ / 选择您的国家

Close
  • Garrigues Facebook
  • Garrigues LinkedIn
  • Garrigues Twitter
  • Youtube
Menu

Main menu

  • About Garrigues
    • About Garrigues
    • Corporate governance
    • Strategic vision
    • Professional Ethics
    • Our history
    • Awards
    • G-advisory
  • Practice Areas More

    Areas and industries

    Practice areas

    • Accounting Law
    • Administrative Law
    • Banking and Finance
    • Corporate Law and Commercial Contracts
    • Criminal Law
    • E.U. & Antitrust
    • Environmental
    • Human Capital Services
    • Intellectual Property
    • Labor and Employment Law
    • Litigation and Arbitration
    • Mergers & Acquisitions
    • Planning and Zoning
    • Real Estate
    • Restructuring and Insolvency
    • Securities Markets
    • Startups & Open innovation
    • Tax

    Industries

    • Agribusiness
    • Automotive
    • Corporate Governance and Corporate Responsibility
    • Energy
    • Family Business
    • Fashion Law
    • Financial Institutions
    • Insurance
    • Life Sciences and Healthcare
    • Private Equity
    • Real Estate
    • Smart Cities
    • Sports & Entertainment
    • Technology & Outsourcing
    • Telecommunications & Media
    • Tourism and Hotels
    • Transport & Shipping
  • Locations More

    America

    • ChileSantiago de Chile
    • ColombiaBogota
    • United StatesNew York
    • MexicoMexico City
    • PeruLima

    Africa

    • MoroccoCasablanca

    Asia

    • ChinaBeijing
    • Shanghai

    Europe

    Spain

    • A Coruña
    • Alicante
    • Barcelona
    • Bilbao
    • Las Palmas de Gran Canaria
    • Madrid
    • Malaga
    • Murcia
    • Oviedo
    • Palma de Mallorca
    • Pamplona
    • San Sebastian
    • Sta. Cruz de Tenerife
    • Seville
    • Valencia
    • Valladolid
    • Vigo
    • Zaragoza
    • BelgiumBrussels
    • United KingdomLondon
    • PolandWarsaw
    • PortugalLisbon
    • Oporto

    Desks

    • Asia-Pacific Desk
    • Brazilian Desk
    • French Desk
    • German Desk
    • Indian Desk
    • Italian Desk
    • US Desk
  • Team More
    • A
    • B
    • C
    • D
    • E
    • F
    • G
    • H
    • I
    • J
    • K
    • L
    • M
    • N
    • O
    • P
    • Q
    • R
    • S
    • T
    • U
    • V
    • W
    • X
    • Y
    • Z

    Search a lawyer

  • Commitment
    • Garrigues and society
    • Diversity and equality
    • Environment
    • Education and research
    • Garrigues Sustainable
    • Innovation
    • Integrated Report
  • Garrigues news room
    • News
    • Legislative developments
    • Garrigues Op Ed
    • Garrigues Digital
    • Specials
    • Guides
    • Blogs
    • Contacts
  • Calendar of events
  • Work with us More

    Work with us

    • Join Garrigues
    • About us
    • Brochures and videos
    • Employment forums and presentations
    • FAQ
    • Selection process
    • Send your cv

You are here

Home

Hubs

  • CleanTech
  • e-Sports
  • FashionTech
  • FinTech
  • Industry 4.0
  • MediaTech
  • Platforms

Services

  • Antitrust
  • Cybersecurity
  • Data protection & Privacy
  • e-Commerce
  • e-Identity
  • Fintech Diaries
  • Intellectual property
  • IT & Cloud Solutions
  • Labor
  • Litigation and Arbitration
  • Media
  • On-line Reputation
  • Tax
  • Our services
  • Digital team
  • Contact
05-23-2018

GDPR: most SMEs will be unable to avoid the requirement of an RPA for some types of processing

Submitted by GarriguesAdmin2 on Thu, 24/05/2018 - 10:28

Pilar Vargas (lawyer at Corporate Law and Commercial Contracts and Technology & Outsourcing industry).

The General Data Processing Regulation (“GDPR”) exempts small and medium enterprises (“SMEs”)[1] from the requirement to maintain Records of Personal Data Processing Activity ("RPA") unless the processing carried out by the SME entails risk to the rights and freedoms of the interested parties, is not occasional, or if it includes special categories of personal data or similar conditions.

In practice, this wording has left many SMEs unsure about whether or not they are required to keep an RPA.

The Article 29 Working Party ("WP29") has just published its position report regarding this exception (article 30.5 GDPR). The WP29 report interprets the GDPR in the sense of confirming the requirement to maintain an RPA in the case of SMEs that fulfil any of three circumstances that mean they cannot take advantage of the exception. Although it clarifies that this RPA should only refer to processing activities affected by the specific causes mentioned. That is, it introduces the innovation of separating activities for the RPA, and thus it is only necessary to keep a record in respect of those particular activities.

Thus, for example, a company that processes personal data solely deriving from salary management will only need to keep an RPA that includes processing concerned with that area, because that processing is, by definition, regular and repeated, and as a result it is habitual, and not occasional.

It should be recalled that the RPA is the key to Data Governance in any organization. It is the essential element for structured data management, both internally and in the event of possible requirements of the control authority. Furthermore, it is an extremely useful tool for enabling companies to gain a comprehensive overview of their processing activities, and also for this new perspective to result in increased consistency in corporate privacy strategy.

Basically, article 30 of the GDPR establishes a minimum content for RPA, both for data controllers and data processors. For the moment, neither the new LOPD draft bill nor the Spanish Data Protection Agency (“AEPD”) have come up with a framework proposal for the RPA[2], which has created considerable uncertainty among businesses, particularly those SMEs that may find themselves in a grey zone as to whether or not they are eligible for the exception established in article 30.5 of the GDPR[3].

The Bavarian Data Protection Authority has published a guide for creating an RPA. This guide to the RPA is the only one of its kind to have been issued so far, except for some comments contained in the recent WP29 position report, although it only mentions the RPA in respect of the aforementioned exception in article 30.5 of the GDPR.

The Bavarian guide raises a series of apparently minor issues regarding the RPA but which have considerable relevance in practice. By way of example, the requirement to maintain a record of RPA amendments for a specific period from the date of each modification made, pursuant to the principle of proactive responsibility, ie. Accountability as established in article 5.2 of the GDPR. This record is necessary in order to be able to check the RPA amendments during the aforementioned specific period, which it recommends should be extended in order to ensure that it coincides with the prescription period of related data protection matters.

In respect of article 30.5, the aforementioned Bavarian Authority indicates that this exception will be extremely limited in its application, as normally SMEs are subject to conditions that will prevent them from taking advantage of that exception, usually because either they are required to repeatedly process personal data or because the data that they process is sensitive information.

This vision of limited application of the exemption for SMEs from the need to create an RPA is further confirmed in the WP29 position report. At the present time it would be difficult to find an SME that does not process personal or sensitive data on a regular basis for some type of category of interested party, albeit employees, clients or representatives of other enterprises.

In short, compliance with all the GDPR requirements will, in practice, necessitate compilation of data processing inventory documents, which, irrespective of the name and title given to them, will essentially be extremely similar to an RPA.

It could even be considered that the exception based on an objective numerical criterion is something that should have been eliminated during drafting of the legislative process, as the different versions of the GDPR were developed (Commission, Parliament, Council, Trialogue), in the same way that other objective thresholds were ruled out, such as those originally devised for designation of the Data Protection Officer, with that objective focus replaced by one of proactive responsibility ((accountability).

In any case, the initiatives being undertaken by different authorities are illustrative of the need to continue considering local specificities, despite the terms of the GDPR.


[1] For the purposes of the GDPR, an SME is deemed to be a company that employs less than 250 employees.

[2] The Catalan Data Protection Agency just recently published an App designed to create RPA for SMEs and it is available at the following link link. 

[3] Although the AEPD has not pronounced in this regard it is currently leading an interesting project designed to assist SMEs in adapting fully to the GDPR. Within the framework of this project a "facilitate" tool has been developed which aims to assist enterprises with low risk processing activity in complying with the new regulation.

 

Services:

Data protection & Privacy, Cybersecurity

Share

  • Share in Facebook, Open in new window
  • Share in Twitter, Open in new window
  • Share in LinkedIn, Open in new window

Share

  • Share in Facebook, Open in new window
  • Share in Twitter, Open in new window
  • Share in LinkedIn, Open in new window

Related news

Businesses race against the clock as they prepare for the GDPR implementation in May
Data protection & Privacy
Countdown to the General Data Protection Regulation (GDPR)
Data protection & Privacy
  • Follow us
  • Follow us
  • Follow us
  • Follow us
  • About Garrigues
    • Corporate governance
    • Strategic vision
    • Professional ethics
    • Our history
    • Awards and rankings
  • Team
    • Search team
  • Extranet and online tools
  • Join us
    • Send your CV

Contact:

  • [email protected]
  • Tel: +34 91 514 52 00

Contact form

 

©2023 J&A Garrigues, S.L.P. All rights reserved

  • LEGAL TERMS & CONDITIONS
  • COOKIES POLICY
  • PRIVACY POLICY
  • SECURITY POLICY
  • RSS