Although Article 30 of the GDPR states that companies must “maintain a record” of their processing activities, the provision contains an exemption for small businesses. Specifically, it states that if a company employs “fewer than 250 persons,” it is generally not required to maintain a record of its processing activities. The exception does not apply, however, if one of three conditions is present:
- The small business carries out processing that “is likely to result in a risk to the rights and freedoms of data subjects,”
- The small business carries out processing that “is not occasional,” or
- The small business carries out processing that “includes special categories of data” or that involves “data relating to criminal convictions and offences.”1
The small-business exception been interpreted very narrowly by the Article 29 Working Party.2
Specifically, a small business, like any business, maintains personal data concerning its employees. As that data is maintained throughout the employment relationship (and typically beyond) and is subject to systematic and periodic processing (e.g., to run payroll, collect and pay taxes on behalf of employees, evaluate performance, etc.) the Article 29 Working Party has taken the position that the processing cannot be characterized as “not occasional.” In order for processing to be considered “occasional,” it cannot be “carried out regularly” and it cannot be carried out within “the regular course of business or activity” of the company.3
Furthermore, in jurisdictions that permit it, employers often collect “data relating to criminal convictions” prior to offering an individual employment and periodically throughout the employment relationship. It is also common for an employer to hold some information about employees’ health. As a result, even if a company has fewer than 250 employees, it may still be subject to the same record keeping requirements as larger companies with respect to its human resource related data.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. GDPR, Article 30(5).
2. The Article 29 Working Party was created by the Privacy Directive which predated the GDPR. The GDPR reconstituted the Working Party as the European Data Protection Board. See Article 94(2).
3. Article 29 Working Party Paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5).