The European Commission plans to relax the GDPR for companies with fewer than 750 employees, recognising that the current rules impose a disproportionate burden on smaller businesses. Under the proposal, these companies would, in principle, be exempted from the obligation to maintain a record of processing activities, unless their activities are likely to pose a high risk to data subjects. The aim of the relief is to reduce administrative burdens and increase competitiveness - Ivan Bartal, partner at Oppenheim Law Firm, reviews the new rules.
Prior to the adoption of the General Data Protection Regulation (GDPR), it was already being considered that small businesses should be subject to lighter and easier rules. In the final legislation adopted, the only exception was essentially one that stipulated that companies with fewer than 250 employees do not have to keep records of the data they process. However, as this exception was also only applicable under certain conditions, this solution did not have the desired effect and did not substantially alleviate the situation of small businesses, and the end result was that a small limited liability company essentially has to comply with the same rules as a global media company - says Ivan Bartal, partner at Oppenheim Law Firm.
Change for companies with fewer than 750 employees
In this context, it is good news that the European Commission has recognised, on the basis of its latest annual report on SMEs, that the complexity of EU legislation for such businesses makes it difficult to enter the market, limits growth opportunities and can lead to unduly high compliance costs. The Commission has therefore recently set itself the objective of simplifying a number of pieces of legislation, thereby cutting red tape and proportionately reducing some of the obligations for smaller operators.
This would include relaxing some of the rules of the GDPR, and making meaningful exceptions for smaller companies. Under the Commission's plan, companies with fewer than 750 employees would in principle not be obliged to maintain a record of processing activities about the personal data they process, except where the activities they carry out are likely to present a high risk to the data subjects (employees, customers), but even then, the obligation to keep records would only apply to those activities.
In practice, this would mean that employers below this number would be exempted from an important and burdensome obligation to maintain a register and to keep it up to date, and would only have to do so if they carry out certain activities that have a more serious impact on the privacy of the individuals concerned. This could include, for example, the monitoring of employees' activities, profiling of their shopping or other habits, processing of biometric or genetic data, processing of location data, camera surveillance, use of new technologies (e.g. artificial intelligence) in the processing of customer or employee data, for example in recruitment, job performance appraisal or analysis of customers' shopping habits.
In the case of these, the companies will also have to carry out a so-called data protection impact assessment, and it is important to stress that this obligation, along with the other requirements of the GDPR (compliance with data protection principles, ensuring legal bases, concluding data processing contracts, ensuring the exercise of data subjects' rights, etc.), is not affected by the Commission's proposal, so these will continue to be imposed on these companies in unchanged form, Bartal notes.
Therefore, if the GDPR is amended as proposed, companies with less than 750 employees will be able to comply with data protection legislation under lighter conditions. To what extent this will help achieve the Commission's lofty goals of reducing the administrative burden on small and medium-sized enterprises and increasing their competitiveness remains to be seen, but if the relaxation is introduced, companies below this size will need to review their data management activities to see if they can benefit from it.