Article 28*
Article 28 – Documentation
Commission Proposal
1. Each controller and processor and, if any, the controller’s representative, shall maintain documentation of all processing operations under its responsibility.2. The documentation shall contain at least the following information:
(a) the name and contact details of the controller, or any joint controller or processor, and of the representative, if any; 3. The controller and the processor and, if any, the controller’s representative, shall make the documentation available, on request, to the supervisory authority. 4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors: (a) a natural person processing personal data without a commercial interest; or 5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller’s 6. The Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2). |
EDRi’s proposed amendment
1. Each controller and processor and, if any, the controller’s representative, shall maintain documentation of all processing operations under its responsibility.2. The documentation shall contain at least the following information:
(a) the name and contact details of the controller, or any joint controller or processor, and of the representative, if any; 3. The controller and the processor and, if any, the controller’s representative, shall make the documentation available, on request, to the supervisory authority. 4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors: (a) a natural person processing personal data without a commercial interest; or 5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller’s 6. The Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2). |
Justification
The size of the controller is not the appropriate criterion to trigger this exception, as small controllers might process personal data on high numbers of data subjects. The better solution would therefore be to use the number of data subjects as the threshold criterion. In line with the EDPS opinion, the exceptions in paragraph (4) might as well be removed in total.