Banana peels on the mine field - even small and medium-scale enterprises may be heavily fined!
You must have heard of the EU's general data protection regulation (GDPR), the fact that the new rules will be applicable from 25 May 2018, that failure to comply with such new rules may result in a fine being imposed on the non-compliant entity and that the amount of fine may even reach or exceed EUR 20 million. However, it is not known to the public at all that the new rules apply to a number of entities, including also family businesses, sole entrepreneurs and small and medium-scale enterprises, not only multinational companies.
Surveys show that a considerable number of undertakings have not yet heard about the GDPR or, respectively, have not yet started to prepare for the new regime. This may have a consequence of fines amounting to several hundreds of millions or even billions of Hungarian forints being imposed.
All of this applies to an EU regulation which contains a number of provisions the interpretation of which are not unambiguous even to lawyers, but on the other hand also contains several grey zones as admitted by the EU data protection working party in its guidelines.
The uncertainty inherent in the provisions of the regulation and the difficulties of interpretation creates a legal mine field, since those wishing to prepare will face a number of hurdles.
Below, let us have a look at a few banana skins.
1."The data protection authority may not impose a fine on small and medium-scale enterprises for the first time (only during a second data protection authority procedure), thus, I can do the preparation during an authority procedure."
This favourable rule will cease to exist with regards to data protection authority procedures from 25 May 2018, thus, small and medium-scale enterprises may also be fined, even if there was previously no data protection authority procedure against them.
2. "The GDPR does not apply to my family business, thus, there is no need to comply with the provisions of the same."
The scope of the GDPR covers sole enterpreneurs, small enterprises and also the biggest multinational companies, since all undertakings process personal data to some extent ( for example, they may have employees, customers, contractual partners, they may process data concerning persons looking for a job, they may operate a webshop, carry out direct marketing, handle claims etc.).
If somebody thinks that the GDPR does not apply to his/her activities and, thus, there is no need to comply with the provisions of the same, he/she can expect to receive a fine since such an attitude practically means that he/she has not taken any preparatory measures.
3. "If I comply with the current rules, then I basically comply with the GDPR as well."
Unfortunately, this is yet another misconception. On the one hand, the GDPR contains a number of obligations that are in addition to the current ones while, on the other hand and based on the principle of "accountability", it is not enough to abide by the rules: the relevant entity must be able to demonstrate compliance in a documented manner too. Thus, even if an obligation does not apply to the entity engaged in the processing activities, it has to be analyzed and documented why a given obligation does not apply to the relevant entity (for example, why there is no need to designate a data protection officer or why there is no need to prepare a data protection impact assessment, etc.).
4. "If there is a consent for data processing, everything is alright."
The GDPR gives a list of the possible legal bases, one of which is consent. However, in order for the data processing to be lawful, one needs to have a proper legal basis, amongst other things. If there is consent but consent is not the proper legal basis, then consent is not worth much. In this case data processing will be unlawful, which may result in a fine being imposed on the relevant entity.
5. "If I have obtained consent to process data, I can then lawfully process all the personal data which the data subject has consented to being processed."
Data processing will definitely be unlawful if personal data - which is not necessary to achieve the purposes of data processing - is processed. This will also be the case if consent has been obtained.
6."My employees have consented to data processing, thus, I can lawfully process their personal data."
Under the consequent practice of the data protection authority and the EU's data protection working party, consent may only be the legal basis for processing in exceptional circumstances due to the dependency in an employment relationship - consent may, by definition, not be voluntary. Consent can only be used as a legal basis in an employment relationship very rarely, when it is evident that the employee would only receive "benefits" and he/she may not be subject to sanction in the event that he/she refuses to consent. In the authority's example, if the employer organizes a running contest for the employees and asks for the T-shirt size of the employees (which is personal data), then consent may serve as a valid legal basis for data processing.
7. "If I do not provide services to natural persons, I do not need to bother about the GDPR.”
Just because an undertaking does not provide services to natural persons, it can still have employees, customers and contractual partners. In this case, the undertaking is processing personal data, thus, the GDPR is applicable.
In addition to the banana skins named above, there are a number of additional ones in the GDPR mine field. The issues of the GDPR are addressed in the blog posts (eugdpr.blog.hu) in a Q&A format. Please click here for the blog post concerning the administrative fine.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary (email@example.com)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.