45liv122, no title

Topics: General Data Protection Regulation
Organisations: ESBA

esbagdprposition paper

European Small Business Alliance – Brussels Office

Clos du Parnasse 3A, B-1050 Brussels, Belgium

Tel.: +32 2 274 25 04 – Fax. : +32 2 274 25 09 – Email: secretariat@esba-europe.org

Association for Competitive Technology – Brussels Representation

Square de Meeus, 35, B-1000 Brussels, Belgium

Tel.: +32 2 513 0524 – Email: greg.polad@fticonsulting.com

General Data Protection Regulation: ensuring simple and clear rules for SMEs

The position of the European Small Business Alliance (ESBA) and the Association for Competitive Technology (ACT) on the European Commission proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM (2012) 0011).

Key ESBA and ACT recommendations on the General Data Protection Regulation:

The duties for SMEs to ensure that SMEs can clearly establish their responsibilities should be covered by one all-encompassing article. This will increase clarity.

Any article pertaining to SMEs’ obligations should feature definite rules to increase legal certainty.

The use of delegated acts must be avoided.

Due to limited financial, material and human resources available to SMEs, ESBA and ACT urge the institutions to take the following into account:

Data Protection Authorities should be the first port of call for consumers as they are best positioned to exercise a judgement on the issue of concern;

A Data Protection Officer should only be designated when a company processes personal data as a core activity of its business;

Data controllers based outside the Union should establish a threshold of sales to appoint a

representative;

SMEs should perform an impact assessment only after their 3

rd

year of incorporation when

they have become a viable going concern;

SMEs should explicitly be exempted from receiving a sanction in case of a first and nonintentional non-compliance with this Regulation; a fine on an SME shall never exceed € 5 000;

Reporting obligations to the supervisory authorities should be made more flexible for SMEs, especially in cases where data processing is ancillary to the SMEs’ core business;

SME controllers should not be held liable for any fraudulous data entries by consumers;

In case of a personal data breach, businesses should be required to inform the authorities

without undue delay. A fixed time limit of a specific number of hours is unpractical and unrealistic.

Background

ESBA and ACT recognise the need to revise the current data protection rules. However, the proposal by the Commission is drafted in such a fashion that it would result in excessive administrative and financial

European Small Business Alliance – Brussels Office

Clos du Parnasse 3A, B-1050 Brussels, Belgium

Tel.: +32 2 274 25 04 – Fax. : +32 2 274 25 09 – Email: secretariat@esba-europe.org

Association for Competitive Technology – Brussels Representation

Square de Meeus, 35, B-1000 Brussels, Belgium

Tel.: +32 2 513 0524 – Email: greg.polad@fticonsulting.com

burdens for micro- and small businesses. It fails to give SMEs legal clarity and legal certainty. Furthermore, it is too complex to be implemented by SMEs and fails to address the deep links in the technological sphere between small and big business that make exemptions difficult or impossible to take effect for SMEs.

If the EU truly wants to benefit from innovations in the digital sector and give room to a rapidly growing market with technological start-up companies, it should set clear and simple framework conditions for these businesses. ESBA and ACT are concerned that small- and medium sized enterprises will set-up their businesses in other parts of the world with less intrusive legal systems.

ESBA and ACT’s specific recommendations to improve the proposal

SMEs need simple and clear rules while the current Regulation holds dispositions for SMEs dispersed across several articles. Therefore, ESBA requests that the duties for SMEs be covered by one allencompassing article to ensure that the legal framework is definite, understandable and manageable.

SMEs already suffer from an uncertain economic landscape. They need legal certainty in order to guarantee investments made and forward looking strategies. As such, any article pertaining to SMEs’ obligations should feature definite rules. Moreover, to increase legal certainty the number of delegated acts needs to be reduced or avoided altogether.

Data Protection Authorities should be the first port of call for the user rather than the SME itself as upervisory authorities are best equipped to determine compliance.

The SME controller and the processor should designate a Data Protection Officer only where the SME does not fall within the scope of ancillary activity and where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.

Along the same line of reasoning, adaptations are justified to the proposal of the European Commission in cases where data controllers which are based outside the Union need to appoint a representative. In this case, we propose to establish a threshold of sales in the Union that is generated by the SME as the determining factor.

European Small Business Alliance – Brussels Office

Clos du Parnasse 3A, B-1050 Brussels, Belgium

Tel.: +32 2 274 25 04 – Fax. : +32 2 274 25 09 – Email: secretariat@esba-europe.org

Association for Competitive Technology – Brussels Representation

Square de Meeus, 35, B-1000 Brussels, Belgium

Tel.: +32 2 513 0524 – Email: greg.polad@fticonsulting.com

SMEs should only be required to perform an impact assessment after their 3

rd

year of incorporation and

only in case when data processing is deemed as a core activity of their business (i.e. where data processing results in 80% of the revenue of the company).

SMEs which process personal data only as an activity ancillary to their main activities should explicitly be mentioned as an exemption to receiving a sanction in case of a first and non-intentional noncompliance with this Regulation. This is needed because the Regulation as it stands now leaves considerable discretionary powers to the supervisory authorities.

Requirements as to when a controller should provide the data subject with information should be made more flexible when data processing is an ancillary activity to the business of the SME.

The obligation made to the controller on maintaining documentation of all processing operations shall not apply to SMEs that process personal data only as an activity ancillary to the sale of goods and ervices. Unless there is proven repeat offense, fines should not exceed the € 5 000 threshold.

When personal data of a child is processed, SME controllers should make reasonable efforts to obtain the verifiable consent of a child’s parent or custodian prior to the processing.

SME controllers should never be held liable for any fraudulent data entry or requirements by consumers. As such they cannot be tasked with obtaining verifiable consent.

In the case of a personal data breach, businesses should not have to notify the authorities or data ubjects within a fixed number of hours. Instead, they should be required to do so without undue delay. Small businesses have limited resources and resolving the breach should take priority over any reporting duties.

Document Info

  • Language: en
  • Author: GPA staff laptop 1
  • Created: November 28, 2012 4:53 PM
  • Last Modified: November 28, 2012 4:53 PM
  • Pages: 3
  • Encrypted: No
  • Dimensions: 595.32 × 841.92
  • Filesize: 391.09 KB
  • SHA1 Hash: 970286242139801c7ce63c8e7ebcb79e22f82d56