Small companies can and do abuse personal data just as well.
I'll never forget how some period tracking app that my partner was using was updated with much more invasive privacy policy terms. It was take it or leave it, no way to use the app any more except by clicking the accept button.
In the US, we have rules to stop this sort of thing for e.g. background check data. If you collect personally identifiable information from a third party, it's the same as if you collected it yourself.
> The requirements for small companies are less stringent.
Conditioning various minor requirements on entity size is no help if they don't actually reduce the complexity. Otherwise the cost of determining what they have to comply with is as expensive as the cost of determining what they have to do to comply.
What smaller entities need is an entirely separate framework with fewer, simpler, narrower rules that don't have to be as robust against a huge team of lawyers finding loopholes because smaller entities don't have a huge team of lawyers finding loopholes.
Then you can have an entirely different set of robust arbitrarily complex rules that all only apply to companies with more than 1000 employees because they can afford to handle the complexity.
I'll never forget how some period tracking app that my partner was using was updated with much more invasive privacy policy terms. It was take it or leave it, no way to use the app any more except by clicking the accept button.
It was a small European start up that did this.
So yes, GDPR applies to all sizes of companies.