GDPR (EU) 2016/679: Records of processing activities for micro, small and medium-sized enterprises

In the last few days, just before the GDPR came into force (today May 25th, 2018), a lot of debate was going on about GDPR compliance for Small and Medium-sized Enterprises (SME’s). on May 24th for example, the Dutch minister Sander Dekker of the ministry for Judicial Protection, commented on the matter trying to settle some of the confusion, stating that small organization should not worry too much about the AP standing on the doorstep on the 26th of May and issuing fines to these SME’s.

The GDPR itself also includes a derogation for SME’s with fewer employees than 250. In Recital (13), this derogation on record keeping is introduced, and in Article 30(5) the derogation is specified: “recording of processing activities are exempt for SME’s”. There are exceptions: “when the processing could result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes e.g. racial, ethnic or criminal convictions, record keeping is obligatory”.

As can be seen from this text in the law, the derogation defined in Article 30(5) is not absolute and is interpretable on at least 3 levels:

  • Processing that is likely to result in a risk to the rights and freedoms of data subjects;
  • Processing that is not occasional or
  • Processing that includes special categories of data or personal data relating to criminal convictions and offenses.

    Recently the Article 29 Data Protection Working Party (WP29) published a positioning paper on the derogation subject. The example given in the paper gives clear guidelines on how SME’s should process for example Human Resource data of employees. SME’s, just like larger sized enterprises, will very like process employee data on a regular basis. Such data shall be subject to proper record keeping.

    This brings us to the subject of quality management and Quality Management System implementation and maintenance, such as EN ISO 13485 in the medical field. Enterprises, including SME’s, operational in the medical field should include GDPR requirement into their Resource Management processes.

    Although Sander Dekker says SME’s should not worry too much on May 26th, Medical Device manufacturer should now be fully aware on how to deal with data, from the following sources:

  • Personal data that is processed as controller’ or ‘processor’;
  • Clinical data, either pseudonymized or anonymized;
  • Patient data received by customer complaints;
  • Human Resource data;
  • and more. 

If you require support or resources, do not hesitate to contact Qserve’s team of experts.


Gert W. Bos, PhD, Fraps
Jaap Noordmans
Post date: May 25, 2018
How can we help you? Contact us