The regulation is changing – GDPR strictness is being relaxed

Before the adoption of the General Data Protection Regulation (GDPR), there was already talk of introducing lighter and easier-to-fulfill rules for small businesses. In the end, the adopted legislation essentially included only one such exception, which stipulated that companies with fewer than 250 employees would not have to keep records of the data they process. However, since this exception was only applicable under certain conditions, this solution did not have the desired effect and did not significantly alleviate the situation of small businesses, and all this ultimately resulted in a small limited partnership essentially having to comply with the same rules as a global media company, says Iván Bartal, partner at Oppenheim Law Firm.

Change may come for companies with fewer than 750 employees

The good news in this regard is that the European Commission, based on its latest annual report on SMEs, recognized that the complexity of EU legislation makes it difficult for such businesses to enter the market, limits growth opportunities and can result in unreasonably high compliance costs. The Commission has therefore recently set itself the goal of simplifying a number of pieces of legislation, thereby reducing bureaucracy and proportionally reducing certain obligations for smaller market players.

This would include easing some of the GDPR rules and establishing substantive exceptions for smaller companies. According to the Commission’s plan, companies with fewer than 750 employees would not, in principle, be required to keep records of the personal data they process, unless the activities they carry out are likely to pose a high risk to the data subjects (employees, customers), but even then the record-keeping obligation would only apply to these activities.

In practice, this would mean that employers below the above number would be exempted from an important and burdensome obligation to keep records up-to-date, and would only have to comply with this if they carry out certain activities that seriously affect the privacy of the data subjects. This may include, for example, monitoring employee activities, building a profile of purchasing or other habits (profiling), processing biometric or genetic data, processing location data, camera surveillance, and using new technologies (e.g. artificial intelligence) when processing customer or employee data, for example in recruitment, workplace performance evaluation, or analyzing customer purchasing habits.