Under which circumstances are controllers and processors not required to maintain records of personal data processing activities? The Personal Data Protection Law, modeled on the GDPR, sets out exceptions to the obligation for organizations with fewer than 250 employees to keep processing records. While this acknowledges the characteristics of small and medium-sized enterprises, ensuring they are not unnecessarily burdened with additional costs, the number of employees is not the sole criterion for exemption from the record-keeping obligation.
Organizations are still required to maintain records if they engage in processing activities that (a) pose a high risk to the rights and freedoms of data subjects, (b) are continuous rather than occasional, and/or (c) involve special categories of personal data or data related to criminal convictions and offenses. This is applicable even if the organization has fewer than 250 employees.
Considering that the management of employment relationships involves the continuous processing of employees’ personal data, any business entity with at least one employee is required to keep records of processing activities related to HR administration, regardless of the total number of employees. This requirement also applies to any business entity with no employees that engages in continuous data processing activities, such as video surveillance for ensuring the safety of people and property within business premises. For those processing activities that are occasional, a business entity is not obliged to document formal records.
Records of personal data processing activities must be kept up to date in real time and must be amended with each change in the scope, purpose, basis, and method of processing, as well as personal data protection measures. These records serve as a kind of "table of contents" for the controller/processor regarding the personal data processing activities carried out within their organization. Unlike previous regulations, these records are not submitted in advance to the Commissioner for Information of Public Importance and Personal Data Protection. Instead, the controller/processor must make the records available to the Commissioner's officials only upon request, a step that is typically the first request during an inspection.
Failure to maintain records of processing activities results in a fine of 100,000 dinars for obligated legal entities and 20,000 dinars for the responsible individual within the legal entity.
By Miodrag Klancnik, Partner, MMD Advokati