top of page

Basics & Essentials for my enterprise


SMEs and the GDPR

The application of the GDPR depends on the nature of your enterprise or organisation activities, not on its size.


The GDPR introduces a risk-based approach into data protection law. This means that activities posing high risks to individuals’ rights and freedoms, regardless whether they are carried out by an SME or by a large corporation, trigger the application of more stringent rules.

Nevertheless, the GDPR encourages the Union institutions and bodies, Member States and their supervisory authorities, to take account on the specific needs’ micro, small and medium-sized enterprises may have regarding the application of this Regulation.

Additionally, the Regulation also recognises the specific situation of micro and small companies (to a limited extend) by allowing, under certain conditions, that some of the obligations of the GDPR do not apply to certain SMEs.

  • The obligation to appoint a DPO does not apply to SMEs when processing is not their main business and the processing does not pose specific threats to individuals’ rights and freedoms. Indicators for such threats are for example (1) processing sensitive data or criminal records (2) monitoring individuals or (3) large scale processing.

  • Companies with fewer than 250 employees do not have to keep records of their processing activities unless they regularly process personal data, pose a threat to individuals’ rights and freedoms, or process sensitive data or criminal records.

bottom of page