Although Article 30 of the GDPR states that companies must “maintain a record” of their processing activities, the provision contains an exemption for small businesses. Specifically, it states that if a company employs “fewer than 250 persons,” it is generally not required to maintain a record of its processing activities. The exception does not apply, however, if one of three conditions is present:

  1. The small business carries out processing that “is likely to result in a risk to the rights and freedoms of data subjects,”
  2. The small business carries out processing that “is not occasional,” or
  3. The small business carries out processing that “includes special categories of data” or that involves “data relating to criminal convictions and offences.”1

The small-business exception been interpreted very narrowly by the Article 29 Working Party.2

Specifically, a small business, like any business, maintains personal data concerning its employees. As that data is maintained throughout the employment relationship (and typically beyond) and is subject to systematic and periodic processing (e.g., to run payroll, collect and pay taxes on behalf of employees, evaluate performance, etc.) the Article 29 Working Party has taken the position that the processing cannot be characterized as “not occasional.” In order for processing to be considered “occasional,” it cannot be “carried out regularly” and it cannot be carried out within “the regular course of business or activity” of the company.3

Furthermore, in jurisdictions that permit it, employers often collect “data relating to criminal convictions” prior to offering an individual employment and periodically throughout the employment relationship. It is also common for an employer to hold some information about employees’ health. As a result, even if a company has fewer than 250 employees, it may still be subject to the same record keeping requirements as larger companies with respect to its human resource related data.