An interesting survey was published by the Irish Data Protection Commissioner on the Irish SMEs' readiness for the application of the EU’S new general data protection regulation (GDPR). If we want to summarize the findings of the survey briefly: the situation is quite depressing! One year before the GDPR is to be applicable, less than one third of Irish SMEs are aware of the fact that they will also have to apply the Regulation from May 2018 (two thirds of SMEs have heard of the GDPR itself).
If we dig a little deeper, we can see that less than 20% of Irish small businesses could name at least one specific change that they need to prepare for. Accordingly, four fifths of small businesses have not identified any steps that need to be made in order to meet the requirements of the GDPR. Of course, the larger the SME, the higher the awareness: the results are better with medium-sized companies employing 50-249 people than in the case of their counterparts with fewer than 49 employees. (The survey was carried out by Amárach Research, interviews were conducted with 500 businesses spread across the Republic of Ireland between April 24 and May 10, 2017.)
Although we do not know about similar surveys in Hungary, it can be assumed that the situation with regards to the GDPR awareness of SMEs in Hungary is not better at all.
Why do SMEs also need to deal with GDPR?
First and foremost because GDPR, as is currently the case with data protection legislation, applies to all data controllers and processors, so it also covers data processing activities carried out by small businesses.
Although the Regulation states in its preamble (point 13) that "the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation" and the Regulation itself also provides for facilitation for SMEs (e.g., regarding the obligation to maintain records of processing activities), a large part of the obligations also affect small companies.
Commission Recommendation 2003/361/EC of 6 May 2003 contains the definition of micro, small and medium-sized enterprises. Hungarian law contains the definition in line with this recommendation (Act XXXIV of 2004 on small and medium enterprises, their support for development, "SME Law"). According to this:
An enterprise is considered to be an SME
- a) which employs fewer than 250 persons, and
- b) which has an annual turnover not exceeding the HUF equivalent of EUR 50 million, and/or an annual balance sheet total not exceeding the HUF equivalent of EUR 43 million.
Within the SME category, a small enterprise is defined as an enterprise which
- a) employs fewer than 50 persons, and
- b) whose annual turnover and/or annual balance sheet total does not exceed the HUF equivalent of EUR 10 million.
Within the SME category, a micro enterprise is defined as an enterprise which
- a) employs fewer than 10 persons and
- b) whose annual turnover and/or annual balance sheet total does not exceed the HUF equivalent of EUR 2 million.
It is clear from the above that within the SME category, there are companies that can be considered significant due to their size and market weight, especially in Hungary.
What do SMEs need to do to meet the requirements of the GDPR?
In order to comply with the data protection rules, SMEs, like businesses in other categories, have to take the necessary organizational, administrative and technical measures when processing personal data.
On the basis of the principle of accountability, in addition to complying with the GDPR, SMEs also need to be able to demonstrate compliance, if necessary (e.g. data protection measures need to be documented properly, even if they meet requirements more favorable to them than the generally applicable rules).
In the first instance, it is advisable to review and evaluate what kind of data processing the company is carrying out, for what purpose and for which personal data. It's important to make the entire organization aware of the fact that personal data is being processed within the organisation.
After the data processing activities are mapped, it is necessary to examine exactly what obligations need to be met for data processing with different purposes and legal bases. It can be examined at this point whether there are any provisions that are offer more favorable rules for SMEs compared to the general rules.
If the above steps are completed, the existing data processing policies, information sheets, contracts with processors and other documents can be reviewed in order to make these compliant with the requirements of the GDPR.
What are the obligations for SMEs?
Basically, all rules of the Regulation also apply to small and medium-sized enterprises. Perhaps, it is better to form the question in a way that we ask where the provisions of the Regulation are not applicable to SMEs or where we can find more favorable rules for SMEs.
The Regulation contains a specific facilitation for SMEs in relation to the obligation to maintain a record of processing activities. According to Article 30 of the Regulation, obligations to keep a record of processing activities shall not apply to an enterprise or an organisation employing fewer than 250 persons, unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) of the GDPR or personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR.
It is clear from the above that SMEs must apply this rule with cautiousness, since several exceptions have been defined which also requires the application of the main rule by SMEs, i.e. in such cases the record keeping obligation must be fulfilled. The exception relating to the processing of special categories of personal data and criminal personal data is relatively clear, but at the same time it is questionable in practice when there is no risk of data processing to the rights and freedoms of data subjects or when data processing can be considered as occasional (with regard to the risks, the WP29 Guidelines on the DPIAs contain some of the considerations that can be taken into consideration, but rather in the context of defining "likely high risk").
The Regulation mentions micro, small and medium-sized enterprises with regards to the Code of Conduct (Article 40) and certification (Article 42), i.e. that the specific needs of these companies should be taken into account in the development of codes of conduct and in the course of the establishment of data protection certification mechanisms and of data protection seals and marks.
As regards SMEs, the rules of the Member States, the acceptance of codes of conduct and the certification mechanisms may still produce some rules that differ from the general rules.
Should SMEs pay fines under the GDPR?
In this respect, the Regulation does not include any rule other than the general rule, i.e. the rules on fines apply to micro, small and medium-sized enterprises, including rules on the amount of the fines to be imposed.
In Hungary, the situation is particularly interesting because according to one of the provisions of the SME Act (Article 12/A), the authorities carrying out the regulatory inspection of small and medium-sized enterprises shall forego the sanction for imposing a fine for the first offense (with the exception of tax and customs proceedings and the proceedings for the supervision of adult education institutions) and shall issue a warning instead. A 2016 judgment of the Supreme Court of Hungary confirmed that this provision also applies to a fine to be imposed in the proceedings of the data protection authority (Section 12 / A (2) of the SME Act defines a number of serious infringements where no exemption from the fine shall be allowed, for example, in the event of any infringement of the provisions adopted for the protection of persons under the age of 18 years old).
It is a question, therefore, whether Section 12/A of the SME Act will be applicable to proceedings in accordance with the Regulation, i.e. will it not be possible to impose a fine on SMEs for the first offense recorded in the data protection authority proceedings or will it change based on the Regulation after May 25, 2018?
According to the Preamble to the Regulation, “in order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.” (Preamble, Point 148)
On the basis of the above there is no reference to SMEs regarding the possibility of dispensing with the application of a fine, only to natural persons, and generally with regards to minor infringements, regardless of who committed them.
According to the Regulation, "it should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines" (Preamble, point 150, Article 83 (7)). The Member States' Public authorities or other bodies with a public-service mission can therefore, without further ado, accept exceptions from Member States, but the Regulation does not authorize Member States to adopt exemptions for SMEs with regard to fines.
In addition to the above, the circumstances to be considered in connection with the fines (Article 83 (2)) do not include the SME status (Paragraph 150 of the Preamble states: "in order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement").
According to the NAIH’s (Hungarian data protection authority) currently known interpretation, Section 12/A of the SME Act will not be applicable in the procedures under the Regulation, i.e. the authority may impose fines on SMEs even for the first offense.
It would obviously create a completely clear situation if the legislator would settle this issue by enacting an amendment to Section 12/A of the SME Act.