undefined | Better HN

0 pointsgcthomas6y ago0 comments

GDPR doesn't have a lower limit on company size or age - it applies to any organisation that handles personal data.

0 comments

5 comments · 1 top-level

diminoten6y ago· 4 in thread

> But, there is an important limitation. Article 30 requires people/businesses processing personal data to keep records of their processing activities and categories and to make those records available upon request. If your business employs fewer than 250 people, you do not have to create these records unless there could be a risk to the ‘rights and freedoms of data subjects (including trade secrets or intellectual property rights), the processing is not occasional, or your business processes any ‘special categories’ of data as referred to in Article 9(1) (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or personal data relating to criminal convictions and offences referred to in Article 10.)

https://www.internetlegalattorney.com/are-there-gdpr-exempti...

It's not a blanket immunity, but it's not universal as you say.

hedders6y ago

The way art 30(5) is drafted though means that the exception applies to basically nobody. What business can, honestly, say that it only occasionally processes personal data? Does it have no employees? Does it only occasionally communicate with people? That hardly seems likely.

Yes, it's probably a drafting defect, but I think one would be very brave indeed to try to rely on it, especially given that establishing an art 30 record is, practically speaking, a prerequisite for being in a position to comply with the rest of GDPR.

diminoten6y ago

Then I guess we're back to letting big companies, who have the resources to do this shit, have Europe, and the small companies, who are too busy building new things, will just grow in other areas before expanding to the EU.

1 more reply

gcthomasOP6y ago

The exemption is only for the record keeping requirement to help keep costs down. Every organisation still needs to meet the data protection regulations.

Silhouette6y ago

The way art 30(5) is drafted though means that the exception applies to basically nobody.

Unfortunately, this is a good demonstration of two criticisms made of the GDPR right from the start: the costs of creating new paperwork in the approved format even if it makes no material difference to any actual data processing, and ambiguity about what is required or permitted even in quite fundamental respects.

j / k navigate · click thread line to collapse