Presentation at the CPPP conference 2020 on the core issues SMEs and SME Associations have identified in applying the GDPR. This research work has been developed within the STAR II project.
1. 22 January 2020
Dr Mistale Taylor, Trilateral Research
The SME hotline
experience of the
Hungarian DPA, 2020
2. SMEs? : staff headcount AND either turnover or balance sheet total
Small and medium-sized enterprises represent 99% of all
businesses in the EU!
2
What is an SME?
3. ď Recital 13: âthe Union institutions and bodies, and Member States and their
supervisory authorities, are encouraged to take account of the specific needs of
micro, small and medium-sized enterprises in the application of this Regulationâ
ď Article 30: âobligations to keep a record of processing activities shall not apply to
an enterprise or an organisation employing fewer than 250 persons, unless the
processing it carries out is likely to result in a risk to the rights and freedoms of
data subjects, the processing is not occasional, or the processing includes special
categories of dataâ
ď Articles 40 & 42: âthe specific needs of these companies should be taken into
account when developing of codes of conduct, data protection certification
mechanisms and of data protection seals and marksâ
Recognising SME status in the GDPR
4. GDPR applies to all data controllers and processors ď small businesses
Overarching obligations inc:
â Accountability (SMEs have to take the necessary organisational,
administrative and technical measures when processing personal data)
â Transparency (appropriate communication requirements)
⢠New data protection rights for individuals
⢠New responsibilities on data processors
⢠DPOs (compulsory appointment in some cases)
⢠Training employees
GDPR obligations for SMEs
7. March 2019 - March 2020
Scope: questions by SMEs throughout EU re interpretation +
application of GDPR
Further use: on the basis of SME questions + issues ď handbook will
be compiled ď usable throughout the EU
Country study: Hungary â
the SME Hotline
7
8. Statistics
⢠14 March - 1 January 2020: 125 e-mails
⢠Sent out 113 responses, 4 in progress
⢠8 requests outside scope
in progress; 4
responded;
113
outside the
scope of the
Hotline; 8
Hotline responses (state of processing up
to 1 January, 2020)
in progress responded outside the scope of the Hotline
18
178
8
The distribution of questions as per
type of question
general information (GDPR)
concrete question (GDPR
application in concret case)
other
9. 9
35
32
25
25
17
16
14
15
14
11
Other
Compliance with GDPR
Video surveillance
Employees' data
Rights of the data subjects (Provision of
information to data subjects: 12)
Legal base of data processing (declaration
of consent: 10)
Need for data protection register
Scope of GDPR
Need for data protection rules
DPO
Topics of enquiries received via NAIH SME hotline*
10. Biggest GDPR myths SMEs
believedâŚâ˘ That data protection / the GDPR doesnât apply to them
⢠That they will not be investigated or fined
⢠That you always need consent of the data subject to process
personal data
⢠They are not handling sensitive data because theyâre not in
the health industry
⢠That the GDPR is a settled issue and this is all a done thing
⢠GDPR compliance as a tick-box exercise, not a process
⢠That âdata protectionâ is about one singular issue (e.g.
CCTV, data access requests) and nothing else
11. Examples of enquiries
11
1. Are SMEs subject to the GDPR?
Yes. If they process personal data, they are subject to the GDPR rules.
The data protection reform took the special situation of SMEs into account:
⢠The majority of SMEs are not obliged to employ a data protection officer;
⢠The criteria for carrying out data protection impact assessments are significantly limited, and only small
portion of SMEs are subject to them.
⢠SMEs are also exempt from the obligation to document their data processing activities.
2. Does the processing of the telephone numbers of my clients for business purposes qualify as data
processing?
Yes, because it concerns business or professional activity, and does not belong among the exemptions of
so-called household data processing not subject to the GDPR.
3. Is it considered data processing when I publish my telephone number on my webpage or Facebook
profile, and I am thus called by my possible clients?
No, not until the processing of the personal data of other natural persons takes place (e.g. you are called
by natural persons).
12. 12
4. Is a company subject to the GDPR when processing of a small number of personal data of
contractual partners or their contact persons for the purposes of fulfilling contracts of service?
Yes, because the frequency, quantity or purpose of data processing are irrelevant from the point
of view of scope, unless Article 2 mentions the as exemptions.
5. Is it subject to the GDPR when one contacts a company (a non-natural person) with a direct
marketing offer?
No. Article 4 point 1 of the GDPR defines the concept of personal data. The protection of the data
of non-natural persons does not fall within the scope of the GDPR.
6. Am I, or is my activity, subject to the GDPR even when I process no personal data as part of
my main activity, but I do have employees?
Yes. The processing of the data of employees is prescribed by several laws for various purposes,
whereby the enterprise is obliged to process the personal data of its employees.
Examples of enquiries
13. 13
7. May consent be obtained from the data subject electronically?
Yes, because the GDPR has no provision on the form of consent; it only defines the requirements of
validity. The data controller however is obliged to prove that the data subject had given consent.
8. Is consent provided by a minor valid?
In the case of the validity of consent by minors, the provisions on capacity, parental custody and
guardianship, as well as, in the case of the incapacity or limited capacity of adults, the provisions on
capacity and custodianship of Act V of 2013 on the Civil Code apply. As a consent to data processing
qualifies as a juridical act, the relevant provisions of the Civil Code apply.
9. What is the difference between the provision of information under Articles 13, 14 and 15 of
the GDPR?
While information under Articles 13 and 14 is meant ensure that the data subject receives a general
and comprehensive picture of the processing of his or her personal data, the right of access under
Article 15 has the express aim of ensuring that the data subject receives information on the processing
of his or her in order to establish and control the lawfulness of processing.
Examples of enquiries
14. 10. When complying with the right to erasure under Article 17 of the GDPR, do personal data
have to be erased from backup files?
According to Article 17 (2), where the erasure of personal data is obligatory pursuant to Article 17 (1), all
PERSONAL DATA in backup copies (with either the controller or the processor, as well as third parties)
shall be erased, and, without undue delay, the ability to restore erased data shall be finally terminated by
all technically feasible means.
11. If a natural person requests my enterprise to erase his or her personal data, and I thus erase
all his or her data, including his or her name, from the records, how can I prove that I had
received such a request and fulfilled it?
The GDPR does not obligate data controllers to keep records of their measures taken in the course of
enforcing the rights of data subjects. Insofar as the data controller wishes to keep record of its fulfilling
data subject requests in order to comply with the principle of transparency and in the lack of a provision
thereto, it is expedient to define its contents so as not to include (or minimise) personal data.
Examples of enquiries
15. 12. Must a data processor also maintain a data processing record?
Yes. Article 30 (2) of the GDPR defines the content of such a record. Accordingly, each
processor and, where applicable, the processor's representative shall maintain a record
of all categories of processing activities carried out on behalf of a controller.
13. In what form must such a record be maintained?
Pursuant to Article 30 (3) of the GDPR, such a record shall be in writing, including in
electronic form.
14. I intend to notify the data processing I carry out to the data protection register, but I
find no opportunity to do so on the website of the DPA.
The GDPR does not provide for a national data protection register to be maintained by
the authorities of Member States as the former regulation of the Privacy Act did. Article
30 of the GDPR obligates each data controller, and data processor, to maintain a record
of processing activities under its responsibility. This means that the data controllers, and
data processors, themselves must maintain records of their data processing activities
without having to notify the Authority thereof. The obligation to notify data processing to
the data protection register ceased as of 25 May 2018.
15. Does the GDPR provide for any exemption in view of SMEs?
Article 30 (5) of the GDPR exempts enterprises employing less than 250 persons from
the obligation to maintain a record unless the processing they carry out is likely to result
Examples of enquiries
16. 16. Under what conditions may employees process the certificates of good conduct of
employees?
In the opinion of the Authority based on the relevant provisions of the GDPR and the Privacy
Act, employers may process the personal data of their employees concerning criminal actions,
the related security measures, and their having no criminal record, first, on the basis of
Article 6 (1) c) of the GDPR (processing is necessary for compliance with a legal obligation to
which the controller is subject) and, second, based on the authorisation of an Act detailing the
processing.
Note, however, employers may only require their employees to show them their certificates of
good conduct; they may not make copies of them.
17. May an enterprise use GPS in its company cars?
An indispensable condition of lawful data processing is that data processing has a legal basis
under Article 6 of the GDPR; according to Article 6 (1) f), data processing may be lawful when
it is necessary for the purposes of the legitimate interests pursued by the controller.
If the employer has also a legitimate interest in using tracking system, the first issue to be
examined is whether the data processing is by all means necessary for the purposes
designated by the employer, and whether its implementation by a GPS device is proportionate
to the limitation on rights.
It is particularly important that employers inform their employees of installing tracking
devices in the company cars their employees drive, and that while they use the vehicle, their
Examples of enquiries
18. Thank-you for your attention!
Any questions?
PhD Julia Sziklay
kkvhotline@naih.hu
www.naih.hu
mistale.taylor@trilateralresearch.com
http://www.project-star.eu/