Steps to comply with EU data protection regulation (GDPR) in Estonia
The GDPR stipulates that data controllers must maintain records of personal data processing activities. However, GDPR limits this obligation.
The obligation does not apply to an enterprise or an organization employing fewer than 250 persons unless the processing of data is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data.
As the aforementioned exceptions are quite vague, it should be examined how different data protection authorities (DPA’s) understand the obligation. The Estonian DPA, for example, is very strict and finds that a company should even keep a record of the processing of their own employees' data.