What is it that Hungary can do for SMEs?
In Hungary, 99.8% of the undertakings qualify as SMEs. This blog post addresses the issue of whether these companies may be fined under the GDPR for first time violations. It also addresses the interesting issue of whether the GDPR allows Member States to adopt laws providing that no fine may be imposed on SMEs for first time violations.
1. What does the GDPR contain concerning SMEs?
The GDPR contains a few provisions concerning SMEs and refers to such entities in relation to the records of processing activities and, respectively, sector-specific codes of conduct and certification mechanisms. Furthermore, Preamble (13) of the GDPR says that “the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises” in the application of the GDPR.
Preamble (167) stresses that “the Commission should consider specific measures for micro, small and medium-sized enterprises.”
2. Which entities qualify as SMEs?
The notion of SMEs includes micro, small and medium-sized enterprises.
An entity qualifies as a medium-sized enterprise if
- the total number of its employees is less than 250 and
- its annual net turnover is the HUF equivalent of the maximum of EUR 50 million (about HUF 16 billion) or the profit per balance sheet amount is the HUF equivalent of the maximum of EUR 43 million.
An entity qualifies as a small-sized enterprise if
- the total number of its employees is less than 50 and
- its annual net turnover is the HUF equivalent of the maximum of EUR 10 million (about HUF 3.2 billion).
An entity qualifies as a micro enterprise if
- the total number of its employees is less than 10 and
- its annual net turnover is the HUF equivalent of the maximum of EUR 2 million (about HUF 640 million).
Based on the above, it is plain to see that even a small-sized enterprise can be of a considerable size and can have high revenue, not to mention medium-sized enterprises which can have a considerable workforce and turnover.
Based on statistics from last September,
(i) 99.8% of the market players qualify as SMEs in Hungary and there are only a few hundred companies which are larger than a medium-sized enterprise. The ratio is about the same also on an EU level;
(ii) about 70% of the employees are employed by SMEs and 30% by larger companies. The ratio is about the same also on an EU level (67%-33%);
(iii) SMEs produce about 52.5% of the GDP, whereas the percentage is 47.5% in case of larger companies. Again, the numbers on an EU level are no materially different (57.5%-42.5%).
3. What does the Hungarian SME Act say concerning first time violations and fines?
Hungarian supervisory authorities have to issue a warning instead of a fine in case of first time violations by SMEs. There is, however, no possibility to escape a fine if, for example,
a) the violation hurts or endangers human life, body or health;
b) the violation has caused environmental damage;
c) provisions serving the protection of minors have been infringed or
d) the rights of vulnerable people have been infringed.
4. Is the provision of the Hungarian SME Act in compliance with the GDPR?
It is an interesting and important question whether the provision of the SME Act as cited above in Section 3 is in compliance with the GDPR or if it (or a part of it) violates the Regulation.
(a) According to one of the interpretations, the provision of the SME Act as cited above is not in compliance with the GDPR for the following reasons.
Even though, the GDPR declares that “the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation”, it contains no specific provision requiring that SMEs may not be fined for first time violations and, respectively, it does not contain any provision which would authorize Member States to adopt laws pursuant to which SMEs may not be subject to fines for first time violations. Thus, Member States may not adopt laws which would favour SMEs by declaring that such entities may not be subject to fines for first time violations. In my opinion, this interpretation is rather formalistic and not the right one.
It is worth noting that Section 83 (7) of the GDPR specifically authorizes Member States to “lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.” The GDPR contains no such rule in regard of SMEs.
However, it is important to note that Section 83 (7) itself authorizes Member States to regulate (decide) if an administrative fine may be imposed on public bodies and, if so, to what extent.
The issue as to what entity qualifies as a public body is to be decided under the laws of the relevant Member State and this is clearly confirmed by the Article 29 Working Party (now the European Data Protection Board) in its guidelines on the data protection officer. Thus, even if we accept the above interpretation, the lawmaker of a Member State may under the GDPR completely release public bodies (for example, entities of public benefit, organizations carrying out also tasks in the benefit of the public at large) from fines or – if the lawmaker does not wish to completely release them from fines – set a maximum amount of fine.
In my opinion, fully releasing any entity from fines is not justified since the rules of the GDPR apply to all and they must be taken seriously. Complete exemption from fines would also be hard to square with the general EU law principle of useful effect (l’effet utile). However, differentiation in terms of fining is in my view justified based on the notion of proportionality – also a fundamental EU law principle.
(b) The other approach argues as follows in regard of SMEs.
The GDPR itself specifically declares in Preamble (13) that “the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises” in the application of the Regulation.
Even though, the cited provision of the GDPR is part of the Preamble and is not an operative Article of the Regulation, it does form part of the body of the law. The EU law makers had good reason for including this sentence in the GDPR, which the Union, the Member States and supervisory authorities have to take into account.
In my view, a warning instead of a fine prescribed by a Member State for a first time data protection violation is justified in case of SMEs and may be compatible with the GDPR provided that a fine may be imposed also on SMEs (even for a first time violation) if the violation is a serious one. Thus, in the event that a serious violation of the GDPR against a child or a vulnerable person is committed or there is a high-risk violation which concerns the personal data of a large number of persons, then imposing a fine on the relevant SME is justified even if it is a first time violation.
In my view, the main rule in itself providing no fine may be imposed on SMEs for a first time violation is in compliance with the GDPR. I think that when it comes to compliance with the GDPR, the focus is rather on the issue of the exceptions, namely, when a fine may still be imposed for a first time violation. Under the currently effective rule of the SME Act, if the SME commits a violation which does not fall under the exceptions as listed above but affects a larger group of persons between 18 and 50 years of age and the violation may have serious consequences, then no fine could be imposed even though, a fine may well be justified in such a case.
In my view, this is where the SME Act may be offensive to the GDPR, thus, it needs to be considered when a fine may be imposed also for first time violations.
In my opinion, in the event that a Member State adopts a law requiring that authorities have to take into account the SME nature of an undertaking and no fine may be imposed for a first time data protection violation on an SME, then such a law would be compatible with the GDPR since the GDPR explicitly contains this idea and the Regulation very much seems to hold such a law desirable. I believe that the condition of such a rule is that there must be exceptions to the main rule where a fine may be imposed also for first time violations in case of serious violations. It is worth noting that the main reason for the GDPR becoming law is not the SMEs but global companies, thus, it seems reasonable not to treat such players the same way.
In the event that Member States do not adopt laws favouring SMEs, authorities will enjoy a margin of discretion when deciding whether or not to impose a fine on SMEs for a first time violation. It is worth noting that it is not mandatory to impose a fine under the GDPR, this is only an option and the authority decides on the basis of the circumstances of the case whether or not it applies a fine. Under the GDPR, the authority takes into account if the controller or processor has committed a violation previously and, respectively, assesses the relevant aggravating and mitigating circumstances of the case. The mere fact that an entity qualifies as an SME is not an automatic mitigating factor.
Overall, I consider it completely reasonable to ask if it is compatible with the GDPR to have such a national law holding that SMEs are exempted from fines in cases of first time data protection violations. In my view, such a national law may be compatible with the GDPR if this is prescribed as a main rule and provided that even SMEs may be subject to fines for first time violations if such violations are serious.
5. What do certain EU data protection authorities say about inspections and fines?
The Latvian data protection authority says that they will first tend to consult with controllers and processors during the first year of application of the GDPR and mainly impose fines only if the relevant entity has failed to fulfill the requirements of the authority in time.
The French data protection authority says that they will be more lenient when inspecting new legal concepts (such as profiling, data portability, automated decision-making).
It seems that the Austrian lawmaker wishes to adopt a law based on which the authority has to take into account the SME nature of an undertaking and such entities may not be fined for first time violations that are minor.
6. What can the Hungarian lawmaker do to help SMEs?
In my opinion, it is possible to act as suggested below and it could be reassuring to controllers and processors:
(i) in case of public bodies, it could be desirable to adopt such laws pursuant to which (a) such bodies may not be fined for first time data protection violations, except if the violation is serious and (ii) the maximum amount of fine is much lower than the one set in the GDPR;
(ii) no fine may be imposed on SMEs for first time data protection violations, except if the violation is serious. To this end, Section 12/A Paragraph (2) of the Act no. XXXIV of 2004 on Small and Medium-Sized Enterprises would have to be amended and supplemented with an additional Paragraph (3).
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary (firstname.lastname@example.org)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.