Although Article 30 of the GDPR states that companies must “maintain a record” of their processing activities, the provision contains an exemption for small businesses. Specifically, it states that if a company employs “fewer than 250 persons,” it is generally not required to maintain a record of its processing activities. The exception does not apply, however, if one of three conditions is present:
- The small business carries out processing that “is likely to result in a risk to the rights and freedoms of data subjects,”
- The small business carries out processing that “is not occasional,” or
The small-business exception been interpreted very narrowly by the Article 29 Working Party. A small business of course maintains personal data concerning its employees. As that data is maintained throughout the employment relationship (and typically beyond) it is subject to systematic and periodic processing (e.g., to run payroll, collect and pay taxes on behalf of employees, evaluate performance, etc.). The Article 29 Working Party assumes that such processing cannot be characterized as “not occasional.” In order for processing to be considered “occasional,” it cannot be “carried out regularly” and it cannot be carried out within “the regular course of business or activity” of the company. In such jurisdictions that so permit, employers often collect “data relating to criminal convictions” prior to offering an individual employment and periodically throughout the employment relationship. It is also common for an employer to hold some information about employees’ health. As a result, even if a company has fewer than 250 employees, it may still be subject to the same record keeping requirements as larger companies with respect to its human resource related data.
- The small business carries out processing that “includes special categories of data” or that involves “data relating to criminal convictions and offense.”
Read more here...