Expert Advice Community

Guest

ROPA applicability

  Quote
Guest
Guest user Created:   Apr 21, 2021 Last commented:   Apr 22, 2021

ROPA applicability

So it is stated in GDPR that if an organization has to maintain ROPA if
1. it has more than 250 employees
2. It performs processing that is not occasional

We act as both a
1. data processor for customers where we are processing personal data on a daily basis
2. data controller for our own employee data, marketing, and sales data

My question is are we still bound to maintain ROPA?

0 0

Assign topic to the user

Assign

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Apr 21, 2021

Article 30 GDPR requires Registers of Processing Activities (ROPA) also if the Controller/Processor processes special categories of data under Article 9 (1).If your organization has employees and Clients the processing is not occasional and you are likely to process also special categories of personal data (i.e., trade union membership, health data, etc.) so you need to maintain ROPA.

If you want to learn how to comply with EU GDPR requirements you may consider enrolling in our free training EU GDPR Foundations course: https://training.advisera.com/se/eu-gdpr-foundations-course//

Quote
0 0
Guest
Simmal Pasha Apr 21, 2021

If we are storing special categories of data for our own employees only and personal data of customers should we maintain ropa ? 

Quote
0 0
Guest
Simmal Pasha Apr 22, 2021

@Simmal Pasha

If we are storing special categories of data for our own employees only and personal data of customers should we maintain ropa ? 

And is processing of personal data of employees such as payroll processing is considered " ocassional" ? 

Quote
0 1
Expert
Alessandra Nisticò Apr 22, 2021

If we are storing special categories of data for our own employees only and personal data of customers should we maintain ropa ? 

Yes, you should. ROPA is one of the most important accountability instruments that the GDPR offers in case of inspection from the Surveillance Authority.

"And is processing of personal data of employees such as payroll processing is considered " ocassional" ? "

No, it is periodical, so it is not occasional.

The European group of experts who developed the GDPR and gave interpretation on the previous directives, the so-called WP29, stated that a processing activity can only be considered as “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor.

Therefore, payroll is not occasional processing.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Apr 21, 2021

Apr 22, 2021

Suggested Topics

Guest user Created:   Jun 11, 2019 EU GDPR
Replies: 1
0 0

EU GDPR compliance and personal data

Guest user Created:   Mar 09, 2021 EU GDPR
Replies: 1
0 0

GDPR Applicability in Canada

Guest user Created:   Mar 31, 2020 EU GDPR
Replies: 1
0 0

GDPR applicability in the UK