3 minute read
Structure
Additionally, despite the barrage of available opinions and guidelines on the GDPR put together by regulators and data protection experts, there is a lack of practical, easy to understand and targeted guidance about data protection law for SMEs. Uncertainty over the interpretation of the revised data protection requirements is increased by those areas where national laws can diverge (‘derogate’) from certain GDPR provisions.
Regulators do recognize the unique challenges that SMEs face in regard to GDPR compliance, and do assist when possible. However, Data Protection Authorities (DPAs) apply the GDPR irrespective of the size of an organization. The enforcement actions taken by several DPAs across Europe demonstrate that they are willing to fine SMEs they find in breach of data protection rules in a similar manner to larger enterprises. The most illustrative examples in this regard include the 15,000 EUR fine issued by the Belgian DPA in late 2019 to an SME for not complying with information obligations stemming from the GDPR when using cookies;4 a 20,000 EUR fine issued by French DPA to a translation company for continuously filming its employees at their workstations and thereby breaching the data protection rights of employees;5 and a 5,000 EUR fine for a shipping company that did not conclude a data processing agreement with one of its business partners.6
Advertisement
With this background in mind, the STAR II consortium prepared this handbook to help SMEs meet core GDPR requirements. Different
4 EDPB, ‘The Belgian DPA has imposed a fine of € 15,000 on a website specialized in legal news’ https://edpb.europa.eu/news/national-news/2019/ belgian-dpa-has-imposed-fine-eu15000-website-specialized-legal-news_sv. 5 CNIL, Délibération SAN-2019-006 du 13 juin 2019 https://www.legifrance.gouv.fr/ cnil/id/CNILTEXT000038629823/. 6 Odia Kagan, ‘Hessian DPA Fines Shipping Company For Missing Data Processing Agreement’ https://www.jdsupra.com/legalnews/hessian-dpa-fines-shipping-companyfor-76851/.
chapters of the handbook summarize the main requirements that SMEs have to abide by to lawfully process personal data in the EU.
Chapter 1 (Navigating support section) provides an overview of the main public and private actors in the European data protection landscape. It describes the roles and responsibilities of public bodies and then explains how SMEs could use their support to adhere to GDPR requirements. As the scope of this handbook is limited solely to topics of particular concern for SMEs, it is important to be able to navigate among other available resources that could potentially facilitate GDPR compliance.
Chapter 2 (Personal data protection basics) explains the scope of data protection law and the scope of its application to SMEs. The chapter introduces concepts and principles that form the crux of personal data protection legal framework by answering the most commonly asked questions. Mastering this knowledge is essential when setting out a compliance strategy. The list of commonly asked questions is based on the NAIH’s experience of running a hotline dedicated to SMEs.
Chapter 3 (The theory and practice of a risk-based approach to personal
data protection) makes the aforementioned core concept of EU data protection law intelligible, subsequently explaining the GDPR provisions embedding it. In particular, the chapter addresses the responsibility of the controller (Article 24), principles of data protection by design and default (Article 25), documentation obligations (Article 30), security requirements (Article 32), personal data breach notifications (Articles 33 and 34), data protection impact assessment (Article 35) and the prior consultation procedure (Article 36). The final two sections of the chapter reflect on the use of codes of conduct (Article 40) and certifications (Articles 42 and 43) as tools that may make it easier for SMEs to comply with the GDPR.
Each section provides practical examples, suggestions and recommendations for further reading. Where available, we refer to relevant decisions by DPAs. This handbook is predominantly based on guidance documents issued by European data protection authorities.
