While Article 30 of the European Union Data Protection Regulation (hereinafter ‘GDPR’) is often talked about for its obligations of keeping records of processing, not much attention is paid to the exemption it provides to small organizations. The provision provides an exemption from record-keeping obligations under GDPR to organizations having an employee strength of less than 250.
The exemption can be availed if one following conditions can be met:
- The processing that the organization carries out is not likely to result in a risk to the rights and freedoms of data subjects;
- The processing is not occasional; or
- The processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
The intent behind this provision seems to be to provide relaxation to small organizations to provide a cost-cutting way in terms of administration and other record maintenance costs.
As per sources, Signal App, which was viewed as an alternative to WhatsApp, became a sensation. The strength of the employees in the Company (Signal) was less than fifty. This effectively means that if Signal App had been in the European Union, it would have been eligible to claim the exemption under Article 30 (5) if it met just one of the three conditions.
The author contends that the provision (Article30 (5)) in its present form has the potential to be misused. The problem arises due to vagueness in the criteria that plagues this provision and the way it is drafted.
Firstly, the manner in which the clause is drafted can provide an easy way to bypass the record-keeping obligations set up in Article 30.5 by just meeting the employee strength criteria and one of the other three conditions.
Secondly, the usage of vague term makes it open to misuse. According to one of the conditions in Article 30 (5), the processing needs to be non-occasionally. The GDPR employs the usage of ‘not occasional’. The term ‘occasional’ is a vague one. The term ‘occasional’ is nowhere defined in GDPR. The literal meaning of the word occasional is occurring, appearing, or taken at irregular or infrequent intervals. It is pertinent to point out that all these words lack a quantitative threshold and therefore are subjective.
In a scenario such as the surge in usage of an application, the record-keeping obligation might be bypassed easily as there is a dynamic increase in the number of data subjects (provided the employee strength remains lesser than 250). This is because a general messaging application would at the least process the phone number of a person which is personal data. And in light of there being no quantitative restriction, the organization will have a justification.
While it might be argued that Data Protection Authorities monitor and are robust for compliance of record-keeping obligations, and therefore can initiate penalty under GDPR, it is important to note that this would not encourage the ideal approach of organizations being proactive towards privacy concerns rather they will be reactive.
To conclude, the present issue can be resolved by the introduction of a quantitative threshold or defining the word ‘occasional’.