May 17, 2022

Volume XII, Number 137


May 17, 2022

Subscribe to Latest Legal News and Analysis

May 16, 2022

Subscribe to Latest Legal News and Analysis

Working Party Confirms That Employers of All Sizes Must Maintain Article 30 Records of Processing for Human Resources Data

On April 19, 2018, the Article 29 Working Party (Working Party), which is comprised of representatives from the data protection authorities in each of the 28 European Union (EU) member states, issued a position paper stating that all employers of EU employees are required to prepare and maintain records of processing activities relating to human resources data pursuant to Article 30 of the General Data Protection Regulation (GDPR).

Article 30 of the GDPR provides that each data controller must maintain a record of processing activities that contains all of the following information:

  • the name and contact details of the controller (typically, the EU employer entity) and any joint controllers (typically the parent company of the EU employer entity), as well as the name and contact details of the employer’s data protection officer (DPO) or EU representative;
  • the purpose of the processing;
  • a description of the categories of data subjects (i.e., applicants, employees, and former employees) and the categories of personal data;
  • the categories of recipients to whom the personal data has been or will be disclosed including recipients in third countries (i.e., countries outside the EU which do not have laws providing adequate protection for data) or international organizations;
  • where the personal data is transferred to a third country or international organization, the identity of the third country or international organization and the legal mechanism used for such data transfers (such as the EU-U.S. Privacy Shield or standard contract clauses);
  • the envisaged time limits for storage and erasure of the different categories of data; and
  • a general description of the technical and organizational security measures for such data.

Article 30 also provides that organizations employing fewer than 250 employees are not required to maintain this record of processing unless (1) the processing of the personal data is likely to result in a risk to the rights and freedoms of data subjects; (2) the processing is not occasional; or (3) the processing involves special categories of personal data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation, and data concerning criminal convictions and offenses.

In its position statement, the Working Party specifically stated that a small organization is likely to regularly process data regarding its employees: “As a result, such processing cannot be considered ‘occasional’ and must therefore be included in the record of processing activities.”

Key Takeaways for Employers

Many companies employing fewer than 250 employees in the EU have been under the assumption that they would be exempt from the Article 30 record of processing requirement so long as they avoided processing special categories of data. However, the Working Party has made it clear that all employers of EU employees, regardless of size, must maintain the Article 30 record of processing for human resources (HR) data. This is significant because, as we reported in our article of April 4, 2018, EU regulators have announced that they will focus their enforcement activities on several key areas of the GDPR, including compliance with the Article 30 record of processing requirement. Consequently, employers should take the following steps prior to the May 25, 2018, GDPR effective date:

  1. Determine the types of HR data processed, the purposes of the processing, the recipients of such data (including third-party vendors), the data retention periods for each type of HR data processed, whether such data is transferred outside the EU and the legal mechanism for such transfer, and the security measures used to protect the data.
  2. Determine the EU country-specific requirements for processing HR data. For example, each EU country has different data retention requirements for specific types of HR data.
  3. Prepare the Article 30 record of processing for HR data by May 25, 2018, so that the company can present the record to applicable EU regulators upon request.
© 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.National Law Review, Volume VIII, Number 129

About this Author

Grant Petersen, Labor, Employment, Ogletree Deakins

Mr. Petersen represents and counsels employers regarding a broad range of U.S. and international labor and employment law issues, Foreign Corrupt Practices Act and other anti-corruption law issues, and data privacy and data protection law issues. He represents clients in a wide variety of industries, including manufacturing, service, healthcare, financial, retail, and food processing, as well as multinational companies and trade associations.

Simon McMenemy, Labor Employment, Managing Partner, New York, OgleTree Deakins law firm
Managing Partner

Simon is an experienced employment law practitioner. He was called to the Bar in 1995, and subsequently qualified as a solicitor while working in the employment and incentives team of a major global law firm. He has advised on the employment aspects of many major international and multi-jurisdictional mergers and acquisitions. He also has a wide range of experience in advising companies on change management, particularly in relation to acquired rights, pensions and benefits. Simon advises on the increasingly complex issues arising on data privacy and data protection in the workplace and is...

44 (0)20 7822 7620
Hendrick Muschal, Ogletree Deakins, Employment Attorney, Germany
Managing Partner / Certified Specialist for Employment Law

Hendrik Muschal is a partner in Ogletree Deakins’ Berlin office.  He advises numerous German and international clients on all aspects of individual employment law, collective employment law in both the private and public sector, international employment law and criminal labor law.  Hendrik is strongly involved in international business activities, particularly in the field of international investments and cross-border transactions as well as global HR management.

One of the focal points of Hendrik’s work regarding global HR management is data protection and monitoring inside the EU...

+ 49 (0) 30 862030 161
Danielle Vanderzanden, Ogletree Deakins Law Firm, Labor Law and Privacy Attorney

Ms. Vanderzanden is a Shareholder in the Boston office and Co-Chair of the firm’s Data Privacy practice group.  She specializes in the areas of privacy, restrictive covenant, wage and hour, discrimination and labor and employment litigation and counseling.  She devotes her practice to helping employers with employment-related disputes, conducting investigations and providing counsel to clients seeking to reduce their potential for liability to their employees and third parties.  She has personally conducted dozens of investigations, including investigations involving...

Stephen Riga, Ogletree Deakins Law Firm, Labor Law and Privacy Attorney
Of Counsel

Mr. Riga concentrates his practice in the area of employee benefits and privacy and security issues.

Mr. Riga's benefits practice includes work with funds and employers to design, maintain, merge and terminate qualified retirement plans and health and welfare plans. Mr. Riga prepares determination letters and voluntary compliance program submissions and assists employers and funds on COBRA, Medicare Part D, and HIPAA compliance. Mr. Riga evaluates contribution and withdrawal liability obligations, and identifies retirement and health and welfare...