In a letter from May 6th, the European Commission proposed to exempt certain organizations from GDPR's record-keeping requirements (ROPAs of Article 30) if they met all these criteria:
1️⃣ Fewer than 500 employees
2️⃣ No high-risk processing activities
3️⃣ Only processing special categories of data
The EDPB and EDPS have responded to the EU Commission via the letter below, raising legitimate questions about balancing data protection with organisational interests and advocating for a risk-based approach. For instance, a company that processes highly sensitive data, even if employing fewer than 500 people, is still operating with high-risk data and needs to make sure that all measures are in place to protect these sensitive records.
At ALLNET Law we would like to offer a practical perspective:
Even if you as a company qualify for this exemption, maintaining basic processing records remains a smart business decision.
Why?
When a regulator knocks on your door demanding details about your data processing practices with a tight deadline, without organised records, you will face:
• Company-wide disruption while scrambling to gather information
• Potential external consultancy costs
• Heightened compliance risk
• Rushed, possibly incomplete responses
The answer is clear: small, consistent investments in your privacy program cost significantly less than scrambling to address unexpected regulatory inquiries with potential enforcement consequences.
Don't view record-keeping just as a regulatory burden—it's also practical risk management that protects your business.
Click to find out more about how you can ensure your business thrives
