Multi-stakeholder expert group to - SMEunited
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Multi-stakeholder expert group to
support the application of Regulation
(EU) 2016/679
SMEunited 1 input to the QUESTIONS TO
PREPARE THE STOCK-TAKING EXERCISE OF
JUNE 2019 ON THE APPLICATION OF GDPR
Executive Summary
This document contains the replies of some of SMEunited member organisations
(horizontal national or European sectoral) to the questionnaire to prepare the
stock taking exercise of June 2019 on the application of the GDPR. The
contributions come from Austria, Belgium, Denmark, France, Germany, Greece,
Italy and Spain.
The main difficulties reported are: to asses whether one is a controller or processor,
the obligation to keep a record of processing activities, the appointment of a
DPO, unclarity of what processing at a large scale means, the principle of
accountability. Overall this legislation creates severe difficulties for micro and
SMEs as it is not proportional. The legislation was conceived to tackle attitudes of
big players, not of SMEs. The administrative burden for documentation has
increased and SMEs suffer from the lack of human and economic resources to
cope with this legislation.
One of the major problems is indeed that the regulation is extremely complex and
very hard to understand, even for experts. Many of our SMEs had to buy help from
external consultants to understand the rules and set up systems to comply with
the GDPR. The published guidelines are mainly a help to understand the rules, but
offer no guidance on how to apply the theory in the real life.
1SMEunited subscribes to the European Commission’s Register of Interest
Representatives and to the related code of conduct as requested by the
European Transparency Initiative. Our ID number is 55820581197-35.
1BIPAR - European Federation of Insurance Intermediaries - EU
Processing health data (Derogation Article 9.2)h: not always applicable to the
insurance sector at national level)
Processing personal data where there is no direct relationship with the data
subject prior to processing. Examples: an intermediary may not have a direct
relationship with an employee insured under a group contract concluded
between a corporate policyholder and an insurer until it is instructed to pay-out a
claim. An intermediary will certainly not have a direct relationship with an injured
third party before that data subject is involved in a motor accident and becomes
eligible for compensation. However, in both cases, the intermediary should
process this personal data, both in the interest of fulfilling the insurance contract –
between the policy holder and the insurer, not the data subject, and in the
interest of the data subject.
Some insurers have automatically classified intermediaries as data processors.
The insurer carries out regulated underwriting activity, and the intermediary carries
out regulated activity (ex: IDD) specific to acting as an intermediary. Both parties
act as separate data controllers, and would therefore take on the responsibilities
of data controller in respect of the data they hold/process. Where they act as
processor for the other, the obligations as laid out in the Regulations would apply
to the data processor at that time. The agreement between the insurer and
intermediary should reflect this stance. After lengthy negotiations, in many
markets at national level, insurers have now accepted that intermediaries act as
separate data controllers. However, some still have trouble accepting this
concept. In our dialogue on the issue with the EDPB, we have explained that
further examples of the determination of controller / processor would be helpful,
particularly in relation to specialist service providers where they process data in
accordance with their regulatory and/or professional obligations.
2CPME - FRANCE
Un des problèmes est le fait que l’exception à l’obligation de réaliser un registre
de traitement pour les entreprises de moins de 250 salariés ne vise que certains
cas (article 30 point 5 du Règlement). Parmi eux, les traitements « occasionnels »,
non définis par le Règlement et que la CNIL a circonscrit en ne donnant qu’un
seul exemple du « traitement occasionnel ».
Par ailleurs, autre problème remonté et persistant : la notion de « traitement à
grande échelle », toujours pas définie et qui engendre un certain nombre
d’incertitudes pour nos entreprises, qui ne savent pas si elles traitent ou non « à
grande échelle » selon le RGPD. Cette notion a pourtant une importance
considérable (nomination obligatoire d’un DPO, réalisation d’une analyse
d’impact, etc.). Le Comité européen de la protection des données (ex G29) n’a
donné que des exemples de traitement qu’il considère ou non comme traitement
à grande échelle, mais pas de définition précise, ni quantitativement ni
qualitativement. En ce sens, voir les lignes directrices relatives au DPO du G29,
pages 8, 9, 10.
3CNA - ITALY
Multi-stakeholder expert group to support the application of Regulation (EU)
2016/679
QUESTIONS TO PREPARE THE STOCK-TAKING EXERCISE OF JUNE 2019 ON THE
APPLICATION OF GDPR
1. General comments
a. For members representing businesses: please explain what were
the main issues experienced by the organisations you represent in
complying with the GDPR.
The transition phase of the GDPR on “accountability” principle was critical for
SMEs. The duties connected to the impact assessment of the “record of processing
activities” (art.30, https://ec.europa.eu/newsroom/article29/item-
detail.cfm?item_id=624045 ) was highly critical because, in Italy, it was extended
further to SMEs expectations.
The impact assessment (on DPA), is still a concern. Considerable investments to
ensure compliance with GDPR and workload generated by accountability
requirements.
2. Impact of the GDPR on the exercise of the rights
a. How have the information obligations (in Articles 12 to 14) been
implemented ? There were not enough information/elements for
business to be inserted in such information obligations. Has there
been a change of practices in this respect?
Yes in the business practices but not in the information to be given.
b. Is there an increase of requests (where possible provide estimates):
i. to access data? A few
ii. for rectification? As in the past
iii. for erasure? As in the past
iv. to object? …
v. for meaningful explanation and human intervention in
automated decision making? A few
c. Are there requests on data portability?
A few. https://www.garanteprivacy.it/regolamentoue/portabilita
d. On which rights do these requests mostly relate to? Not significant
e. Are there any difficulties in the application of the rights (by
controllers, by DPAs), including for meeting the deadlines for
responding to the requests? Yes, but small businesses are not
4always aware of these deadlines. Specific difficulties in employer-
employee context.
f. What percentage of the requests was manifestly unfounded or
excessive? Please describe why these requests were unfounded or
excessive.
Approximately 75% unfounded
3. Impact of Article 7(4) regarding the conditions for valid consent on your
business model/consumers
a. Are there any issues with the use of consent as legal basis for
specific processing operations? (e.g. complaints received) When
requesting consent, how did individuals respond? A few, at the
moment. Specific challenges and lack of a common EU approach
on consent for processing health data, in particular in health
sector, research, and for insurance contracts
b. Have organisations switched the legal ground for processing from
consent to another legal ground ? Yes
c. How are businesses addressing the issue of tied consent ? As in the
past How are they distinguishing between contract as legal basis
and consent ?
SMEs have difficulties in dealing with different kind of consent.
4. Complaints and legal actions
a. Are there any complaints against your organisation(s) submitted
before DPAs ? NO
b. Are there any court actions against your organisation(s)? NO
c. Are there any court actions against decisions, or absence of
decisions, of DPAs? NO
d. In all above cases, please explain what is the matter of the
complaint or court action and for which types of infringements of
GDPR? NO
5. Use of representative actions under Article 80 GDPR:
a. Are you aware of representative actions being filed against your
organisation(s) or in your Member State? NO
As an organisation representing civil society, have you filed
representative actions in any Member State? NO
b. What types of representative actions (complaint to DPA or to
court, claim for compensation)? In which country/ies? NO
c. Against whom and for which types of infringements of GDPR? NO
6. Experience with Data Protection Authorities (DPAs) and the one-stop-shop
mechanism (OSS):
5Are there any difficulty experienced in the dealings with DPAs (by
individuals/businesses)? NO, we do not dispose of info/data. DPA provided to
deliver us the Guidelines https://www.garanteprivacy.it/regolamentoue/acc.
In the initial phase of GDPR enforcement guidelines not always practical,
feedback gathered during public consultation not sufficiently taken into
account.
a. Are there difficulties in obtaining advice or guidance material by
the DPAs? Information and training should be urgently
implemented in co-partnership with DPA and with available EU
funding.
b. Are DPAs following up on each complaint submitted, and in a
timely manner ? We do not dispose of data/info.
c. How many of your business members have declared a main
establishment to a DPA and benefit from a Lead Authority ? We
are not aware at the moment. Have they experienced difficulties
with the functioning of the OSS? We are not aware, at the moment.
d. Do you have experience with the designation of representatives of
controllers or processors not established in the EU? NO
e. Are you aware of guidelines issued by national DPAs
supplementing or conflicting with EDPB guidelines? (please
explain)
NO, see point a.
7. Experience with accountability and the risk-based approach (for
members representing businesses):
a. What is the feedback from your members on the
implementation of accountability? Severe difficulties for
micro and SMEs. Administrative burden for
documentation has increased.
And their experience with the scalability of obligations (e.g. Data
Protection Impact Assessment for high risks, etc.)? Very difficult.
b. What are the benefits/challenges of GDPR in your line of business?
Challenges: Knowledge, Training and Multilanguage Learning
tools.
c. What do you think the overall impact of GDPR will be on your
organisation's approach to innovation? On “privacy by design”
cultural barriers still existing.
d. In which area did your organisation have to invest most in order to
comply with the GDPR? How useful do you consider this investment
for the overall performance of your organisation? Several sectors
6of our Organization have tackled GDPR in a challenge and/or a
supplementary problem to be solved.
e. To which extent could your organisation rely on existing technical
and organisational measures or did you establish a new data
management system? The GDPR required a significant amount of
resources, competences and system upgrading.
f. Do your members experience an increase of awareness and of
trust of their customers due to the implementation of technical and
organisational measures to comply with the GDPR? Yes, in
proposing adaptable solutions to micro SMEs.
8. Data protection officers (DPO):
a. Did the organisations you represent designate a mandatory DPO
pursuant to Article 37(1) GDPR? NO.
b. Did the organisations you represent designate a mandatory DPO
pursuant to national law implementing Article 37(4) GDPR? Please
specify which national law and for which situations. NO. In the past,
it was not mandatory. Today we do it as it is mandatory.
c. Did the organisations you represent designate a DPO on their own
initiative, without being required to do so by the GDPR or by
national law ? NO.
d. Did associations or other bodies representing categories of
controllers or processors designate data protection officers? NO
e. What is the experience of the organisations you represent with the
performance of DPOs? NO
9. Controller/processor relationship (Standard Contractual Clauses)
a. What is the experience of the organisations you represent on the
adaptation of current contracts ? We had a positive experience
with setting guidelines (art.28) but we would have expected DPA
guidelines
b. Is there a need for the adoption of standard contractual clauses
under Article 28(7) GDPR? Explain what are the main reasons. Yes,
it is advisable. SMEs do not have legal offices compared those of
Large Scale Enterprises.
c. If standard contractual clauses were to be prepared, what
elements and specifications should be included ? (e.g. auditing,
liability allocation, duty of cooperation, indemnification). All of
them (auditing, liability allocation, duty of cooperation,
indemnification).
d. Do you have suggestions in terms of how to ensure the “user-
friendliness” of such standard contractual clauses? NO
7e. In case you have drafting suggestions for specific clauses, please
share.
NO
10. Adaptation/further development of Standard Contractual Clauses (SCCs)
for international transfers
a. What are your practical experiences with the existing SCCs: Do
they serve the purpose? If not, where do you see room for
improvements? Have you encountered any problems in using the
existing SCCs? NO data/info/cases available
b. Do you see a need to adapt the existing SCCs, generally and/or in
the light of the GDPR? (e.g. different structure/design? additional
safeguards? combination with Art. 28 standard contractual
clauses for processors?)
c. Do specific clauses require further clarification (e.g. auditing,
liability allocation, duty of cooperation, indemnification)?
d. Is there a need to adapt the SCCs in light of the Schrems II court
case (concerning access by third country authorities), e.g. with
respect to monitoring/reporting obligations on the data
importer/exporter? Do you have suggestions on ways and means
to strengthen the possible control by the data exporter vis-à-vis the
data importer and the measures to enforce such control (e.g. not
only suspending the transfer of data but actually recalling the data
already transferred?) Do you have any other suggestions on how
to further strengthen data protection safeguards and control
mechanisms (including by the DPAs) with regard to government
access?
e. Is there a need to develop new SCCs, e.g. for the processor/sub-
processor relationship, joint-controllership, processor-to-controller
relationship or specific processing operations ?
f. Do you have suggestions in terms of how to enhance the “user-
friendliness” of SCCs?
It could be useful in the future to foresee SME friendly SCCs
through “separate forms”.
g. In case you have drafting suggestions for specific clauses, please
share.
11. Have you experienced or observed any problems with the national
legislation implementing the GDPR (e.g. divergences with the letter of
GDPR, additional conditions, gold plating, etc.) ?
8Yes, in the previous DLGS 101/2018 to adapt Italian Privacy Code to the GDPR,
there were some additional and non justified conditions (e.g. penal sanctions on
certain breaches foreseen in the GDPR).
9CONFARTIGIANATO - ITALY
Multi-stakeholder expert group to support the application of Regulation (EU)
2016/679
QUESTIONS TO PREPARE THE STOCK-TAKING EXERCISE OF JUNE 2019 ON THE
APPLICATION OF GDPR
1. General comments
a. For members representing businesses: please explain what were the main
issues experienced by the organisations you represent in complying with
the GDPR.
2. Impact of the GDPR on the exercise of the rights
a. How have the information obligations (in Articles 12 to 14) been
implemented?
The enterprises have updated information for customers and suppliers to adapt
to the GDPR (article 13). Compared to the models used before 25 May 2018, the
most critical aspect was the identification of the duration of the treatment. This
aspect is not easily identifiable as the purposes for which a enterprise may need
personal data are different. Often, therefore, a broad formulation is used, such as
for example: "the data are processed for the time necessary for the performance
of the contract or the fulfillment of legal obligations".
Has there been a change of practices in this respect?
The number of micro and small businesses that publish the information for their
customers on the company website has increased, inserting invitation to consult
the online information in the business documents. It should be noted that when
the paper information is provided, the controller often continues to request
consent, although this is not necessary pursuant to the GDPR.
2
b. Is there an increase of requests (where possible provide estimates):
i. to access data?
ii. for rectification?
iii. for erasure?
iv. to object?
v. for meaningful explanation and human intervention in automated
decision making?
There is no increase in requests relating to the exercise of the rights of the data
subject. Data subject may not yet perceive this as an opportunity. In this sense,
the length of the information - even if the rights of the data subject are reported
- is not effective as the data subject often does not read the content.
On the other hand, there was an increase in disputes during the labor lawsuites
with reference to the use of video surveillance and geo-location on workers.
c. Are there requests on data portability?
No, there aren’t.
10d. On which rights do these requests mostly relate to?
We have not information on this issue.
e. Are there any difficulties in the application of the rights (by controllers, by
DPAs), including for meeting the deadlines for responding to the requests?
Currently there are not difficulties, but in the event of an increase in the exercise
of rights by the data subject, micro and small enterprises could have difficulty in
managing requests in the absence of adequate IT tools.
f. What percentage of the requests was manifestly unfounded or excessive?
Please describe why these requests were unfounded or excessive.
We have not information on this issue.
3. Impact of Article 7(4) regarding the conditions for valid consent on your business
model/consumers
a. Are there any issues with the use of consent as legal basis for specific processing
operations? (e.g. complaints received) When requesting consent, how did
individuals respond?
The criticalities found in cases where the data subject refuses to give consent are
clearly due to the abuse of the request for consent by the controller. Often, in
fact, the controller combines the information with the request of the consent even
if not requested by the GDPR. An information campaign by the DPA is hoped to
clearly define the cases in which it is necessary to acquire consent.
b. Have organisations switched the legal ground for processing from consent
to another legal ground?
Following the entry into force of the GDPR, enterprises use more the legitimate
interest of the controller instead of consent in particular for direct marketing
purposes. In Italy direct marketing on the basis of legitimate interest of the
controller is permitted only for sending e-mail and using the telephone. This
possibility should also be extended to other tools, primarily "WhatsApp" and SMS.
c. How are businesses addressing the issue of tied consent? How are they
distinguishing between contract as legal basis and consent?
On these aspects, micro and small enterprises have not yet reached an adequate
awareness of the need for free consent and what are the consequences of a
treatment based on tied consent.
4. Complaints and legal actions
a. Are there any complaints against your organisation(s) submitted before DPAs?
No, there are currently no complaints.
b. Are there any court actions against your organisation(s)?
No, there are currently no actions.
c. Are there any court actions against decisions, or absence of decisions, of
DPAs?
We have no information about it.
d. In all above cases, please explain what is the matter of the complaint or court
action and for which types of infringements of GDPR?
5. Use of representative actions under Article 80 GDPR:
11a. Are you aware of representative actions being filed against your organisation(s)
or in your Member State?
No, we aren’t.
As an organisation representing civil society, have you filed representative
actions in any Member State?
No, we haven’t.
b. What types of representative actions (complaint to DPA or to court, claim
for compensation)? In which country/ies?
c. Against whom and for which types of infringements of GDPR?
6. Experience with Data Protection Authorities (DPAs) and the one-stop-shop
mechanism (OSS):
a. Are there any difficulty experienced in the dealings with DPAs (by
individuals/businesses)?
There are no difficulties in dealings with DPA.
b. Are there difficulties in obtaining advice or guidance material by the DPAs?
c. Are DPAs following up on each complaint submitted, and in a timely manner?
We have no information about it.
d. How many of your business members have declared a main establishment to
a DPA and benefit from a Lead Authority? Have they experienced difficulties with
the functioning of the OSS?
We have no information about it.
e. Do you have experience with the designation of representatives of controllers
or processors not established in the EU?
4
No, we don’t.
f. Are you aware of guidelines issued by national DPAs supplementing or
conflicting with EDPB guidelines? (please explain)
No, we aren’t.
7. Experience with accountability and the risk-based approach (for members
representing businesses):
a. What is the feedback from your members on the implementation of
accountability? And their experience with the scalability of obligations (e.g. Data
Protection Impact Assessment for high risks, etc.)?
The principle of accountability has been positively accepted by micro and
small enterprises, as a way to overcome the bureaucratic approach based on
preventive authorizations. However, for micro and small enterprises GDPR involves
an increase in costs and charges. In particular, micro enterprises have difficulty to
apply the principle of accountability and risk assessment, as they do not have
professional figures capable of managing the new legislation.
b. What are the benefits/challenges of GDPR in your line of business?
With GDPR micro and small enterprises are more aware of the economic value of
personal data they possess.
The main challenge for micro and small businesses is to activate new processes
for managing, enhancing and protecting this internal resource.
12c. What do you think the overall impact of GDPR will be on your organisation's
approach to innovation?
d. In which area did your organisation have to invest most in order to comply with
the GDPR? How useful do you consider this investment for the overall performance
of your organisation?
e. To which extent could your organisation rely on existing technical and
organisational measures or did you establish a new data management system?
f. Do your members experience an increase of awareness and of trust of their
customers due to the implementation of technical and organizational measures
to comply with the GDPR?
At the moment, customers are not sufficiently aware of the technical and
organizational measures adopted by enterprises.
8. Data protection officers (DPO):
a. Did the organisations you represent designate a mandatory DPO pursuant to
Article 37(1) GDPR?
No, they didn’t.
b. Did the organisations you represent designate a mandatory DPO pursuant
to national law implementing Article 37(4) GDPR? Please specify which national
law and for which situations.
No, they didn’t.
c. Did the organisations you represent designate a DPO on their own initiative,
without being required to do so by the GDPR or by national law?
No, they didn’t.
d. Did associations or other bodies representing categories of controllers or
processors designate data protection officers?
Yes, they did.
e. What is the experience of the organisations you represent with the performance
of DPOs?
We have no experience about it.
9. Controller/processor relationship (Standard Contractual Clauses)
a. What is the experience of the organisations you represent on the adaptation
of current contracts?
Enterprises, as controllers, face difficulties in assessing when to appoint processor
or when considering him a controller. Article 28 of the GDPR establishes, in fact,
that where processing is to be carried out on behalf of a controller, the controller
appoints a processor. This formulation is creating some doubts on the need to
appoint as processor some external subjects.
The Italian DPA has recently provided that the employment consultant is a
processor when he processes personal data of clients or employees of the
controller.
Similar doubts, however, remain in other cases, such as for example accountants,
banks or computer maintenance staff.
The main problems include the following:
13- some subjects refuse to be appointed as processor, thus creating uncertainty in
enterprises;
- individuals who operate in a completely independent manner are appointed as
processors;
- some subjects, by exploiting their position of contractual strength, impose unfair
contractual clauses on micro enterprises in the deed of appointment as
processor;
- a micro-enterprise may find itself having to appoint a large company as a
controller for the provision of highly specialized and complex services - with
respect to which it does not actually have the capacity to carry out checks and
checks on the treatment, as it lacks the necessary technical skills.
For these reasons, it would be necessary to adequately reconsider the rationale
of the appointment as processor pursuant to art. 28 of the GDPR in order to clarify
when a subject must be appointed processor.
It must be avoided, in fact, that the appointment as data controller becomes a
"merely bureaucratic" fulfillment completely unrelated to the need to protect the
confidentiality of personal data.
b. Is there a need for the adoption of standard contractual clauses under Article
28(7) GDPR? Explain what are the main reasons.
c. If standard contractual clauses were to be prepared, what elements and
specifications should be included? (e.g. auditing, liability allocation, duty of
cooperation, indemnification)?
d. Do you have suggestions in terms of how to ensure the “user-friendliness”
of such standard contractual clauses?
e. In case you have drafting suggestions for specific clauses, please share.
10. Adaptation/further development of Standard Contractual Clauses (SCCs) for
international transfers
11. Have you experienced or observed any problems with the national legislation
implementing the GDPR (e.g. divergences with the letter of GDPR, additional
conditions, gold plating, etc.)?
No, we have no observations about it
14CONFCOMMERCIO - ITALY
Confcommercio had circulated among its members a questionnaire for
feedbacks, though receiving only limited contributions. So far, our main highlights
can be summarised as follows:
1. General comments: Data processing legislation has always been seen by
companies as a disproportionate burden. The GDPR has not softened this feeling
because some obligations (eg the register of processing operations) have been
interpreted by the EDPB in an excessively restrictive manner (eg it is sufficient to
have only one employee to be required to keep the register). Notification of data
breaches also requires the development of an internal procedure, which SMEs are
struggling to implement. At the moment, no specific provisions have been issued
in Italy to meet the needs of SMEs.
7. Accountability: The principle of accountability is not easy to manage for SMEs.
It actually requires an accurate analysis on company processes as well as on the
associated risks, with respect to which the need for external consultancy
becomes indispensable, the latter resulting in further burdens for companies and
SMEs in particuar.
8. Data Protection Officer (DPO): Confcommercio is evaluating the need to have
a DPO
9. Controller / processor relationship: The adaptation of existing contracts to the
new obligations is another demanding challange for SMEs. Nevertheless, we do
not believe that an intervention by the Commission is necessary, given the
experience already accumulated over 20 years of application of the privacy
legislation and considering that art. 28 of the GDPR appears to be sufficiently
detailed regarding the requirements to be included in the contracts between
company owners and the process managers.
15SMEdenmark - DENMARK
Q.1: Overall the general impression from the businesses is that the GDPR is an
extremely heavy administrative burden and completely out of proportions when
it comes to the measures and actions that have to be taken by the businesses to
comply with the regulation in comparison to the risk of damage to the consumers.
It is exactly such legislation that causes fatigue with the EU system. The intention
was good, but it has completely missed the target and has been carried out
completely wrong. It seems like the legislators have taken a regulation, which
makes perfect sense when it comes to the big processors/handlers of data like
Facebook, Amazon, Google and other companies who process large amounts of
data and sensitive data, and applied the same rules for businesses who only
process small amounts of data and normal data like name, address, email etc.,
which are of no risk to the consumer. One of the big problems is that the regulation
is extremely complex and very hard to understand, even for experts. Many of our
members have had to buy help from external consultants to understand the rules
and set up systems to comply with the GDPR.
Q. 6.b: The Danish DPA was very late with the guidelines and furthermore the
guidelines were mainly written with the focus on the big businesses and not in a
language and manner which had the SMEs in mind. Therefore many of the
guidelines were more or less useless for most business. There is a large gap from
understanding the rules to applying them in practice. The guidelines are mainly a
help to understand the rules, but no guidance in how to apply the theory in the
real life.
7.d.: SMEdenmark and all their members have had to invest heavily in
administration to comply with the regulation. This has taken away a lot of
resources and focus from the core business and has lead to a decrease in
productivity. SMEdenmark organized 25 seminars across the country to help our
members understand the rules. We also had standard documents developed to
assist in complying with the rules.
7. f: Our members have not experienced a raise in awareness from the customers,
when it comes to the processing of data by the normal SME. Maybe an increase
in awareness has been achieved with regard to the big processers of data, but
for other businesses it is business as usual. Because of the large quantity of
information which has to be given to the persons, there is an information overload
which on the contrary has lead to the situation that people does not read the
information provided. It has lead to the same reaction as the cookie pop up on
the screen – you just click “ok” and continue. No one reads the information.
Q 11. It doesn’t help the businesses either that the Danish DPA has a very strict
interpretation of the regulation. I.e. art. 30 which on the surface does not apply to
SMEs unless the processing is not occasional. However the Danish DPA interprets
16this article in such a manner that if you have just one employee the processing is
not occasional and thus the obligation to keep records of processing activities
apply to all businesses.
17ESEE - GREECE
Multi-stakeholder expert group to support the application of Regulation (EU)
2016/679
QUESTIONS TO PREPARE THE STOCK-TAKING EXERCISE OF JUNE 2019 ON THE
APPLICATION OF GDPR
8. Data protection officers (DPO):
a. Did the organisations you represent designate a mandatory DPO pursuant to
Article 37(1) GDPR?
Article 37 (1), (b) and (c) require the processing of personal data to be carried
out on a large scale in order for the designation of a DPO to be triggered. The
GDPR does not define what constitutes large-scale processing. Indeed, it is not
possible to give a precise number either with regard to the amount of data
processed, or the number of individuals concerned, which would be applicable
in all situations. We consider that it is necessary to develop a standard practice
for identifying in more specific and quantitative terms what constitutes ‘large
scale’ in respect of certain types of common processing activities, especially for
SMES.
b. Did the organisations you represent designate a mandatory DPO pursuant to
national law implementing Article 37(4) GDPR? Please specify which national law
and for which situations.
c. Did the organisations you represent designate a DPO on their own initiative,
without being required to do so by the GDPR or by national law?
So far, we don’t have any information and therefore we consider that this is an
important matter, because when an organisation designates a DPO on a
voluntary basis, the requirements concerning the designation, position and tasks
are applied as if the designation had been mandatory. Thus, it would be better if
this procedure was more flexible specially for the SMES.
d. Did associations or other bodies representing categories of controllers or
processors designate data protection officers?
e. What is the experience of the organisations you represent with the performance
of DPOs?
The legislation for GDPR has already been proved to be very difficult and costly
to implement.
9. Controller/processor relationship (Standard Contractual Clauses)
18a. What is the experience of the organisations you represent on the adaptation
of current contracts?
b. Is there a need for the adoption of standard contractual clauses under Article
28(7) GDPR?
Yes.
Explain what are the main reasons.
On standard contractual clauses for controller-processor, ESEE believes that any
SCCs should be adopted pursuant to Article 28(7). Therefore, GDPR should inter
alia clarify the role of controller and processor.
c. If standard contractual clauses were to be prepared, what elements and
specifications should be included? (e.g. auditing, liability allocation, duty of
cooperation, indemnification)
Sub-processor model clauses, deadline for notification of a personal data breach,
stipulate clearly the liability allocation and the audit clauses, clarify the duty of
cooperation of the processor with the controller, clear rules on return of data
(destroying vs. returning).
d. Do you have suggestions in terms of how to ensure the “user-friendliness” of
such standard contractual clauses? e. In case you have drafting suggestions for
specific clauses, please share.
11. .) Have you experienced or observed any problems with the national
legislation implementing the GDPR (e.g. divergences with the letter of GDPR,
additional conditions, gold plating, etc )?
Greece has not yet adopted a new national legislation to fully implement the
GDPR legislation of 2016.
19PIMEC - SPAIN
The new Llei Orgànica de Protecció de Dades i garantia dels drets digitals
(LOPDGDD), which adapts the Spanish legislation to the GDPR and regulates the
fundamental rights on personal data protection was published on the 5th
December 2018. The Spanish Law puts an end to the legal uncertainly on the
application of the GDPR in Spanish enterprises.
In the implementation of the Spanish law, the main difficulty for the SMEs is the
lack of knowledge and consciousness on data protection. This means that in most
of cases the adaptation is limited to the formal aspects of the legislation, such as
the adaptation of informative policies and clauses on their websites or forms.
Unfortunately without undertaking a proper privacy management of their daily
activities in order to guarantee an effective protection of personal data and
avoid future vulnerations of rights and freedoms.
Another difficulty for SMEs when applying the legislation is the lack of financial
resources. The legislation should have foreseen public resources to cope with the
implementation. For instance, for the list of treatments it is necessary to carry out
an impact assessment on data protection.
It is also important to highlight the lack of human and economic resources since
the implementation of risk management related to data protection does not only
refer to documentary obligations. Risk management also means to take technical
and organisational measures that have an impact in the management of
information by the entities subject to the law. Such entities need to take effective
security measures and adopt internal protocols on the new tasks to be assumed
the their staff.
20UNIZO – BELGIUM
• It is crucial that every code of conduct allows the adherence of any
controller or processor, so also of a self-employed or SME. Therefore, it
should be ensured that the entering conditions to any code of conduct
are SME-tailored. UNIZO request the EDPB to provide for a SME-test that
need to be conducted before any code of conduct can be issued. (See
for more details also SMEunited comments on “GUIDELINES 1/2019 ON
CODES OF CONDUCT AND MONITORING BODIES UNDER REGULATION
2016/679” https://smeunited.eu/admin/storage/smeunited/190402-
smeunited-comments-on-codes-of-conduct-and-monitoring-bodies-
under-regulation.pdf )
• A DPO is compulsory in case a public authority is processing data. This is
problematic for SMEs who are working / providing services on behalf of
public authorities. For most of these SMEs it is not realistic to designate a
DPO themselves. The obligation to designate a DPO should be limited to
these cases of monitoring on a large scale or when the rights of the data
subjects are seriously impaired. The actual situation entails the risc that
public authorithies will only work or contract with (big) organisations which
have a DPO, to the detriment of the SMEs.
• The so-called, but not existing exemption for SMEs to keep a record of
processing activities (article 30), has to become real. This means that there
should be only an obligation to keep a record of processing activite if
there is monitoring on a large scale or when the rights of the dat subjects
are compromised. We refer here also to the letter sent by SMEunited to the
EDPB (Art 29 Working Party in the time) and the Commission.
• If a national supervisory authorithy is conconfronted with infringement by
a SME, the authority should be obliged to give a warning first instead of a
sanction (except in the case of SMEs that monitor data on a large scale).
• There is still unclarity about who is controller or who is processor. E.g. BPost
(The Belgian Post) pretend not to be a processor but a controller and
consequently refuses to sign a contract as a processor. More clarity and
legal certainty should be ensured on this question.
• There is also the question how SME can obtain a contract from large
processors (Google, Microsoft,…). It should be sufficient for SMEs if they
can proof that they have asked for such a contract.
• The documentation on data breaches (art 33) is in practice not kept as it
is a hugh administrative burden. Also her an exemption should be
introduced for SMEs.
• The issue of the transfer of personal data to third countries is also
problematic for SMEs. They can indeed not prevent that big processors
transfer this information to third countries. But the SMEs are obliged to
inform the involved persons beforehand. Also this problem should be
tackled in the review.
21ZDH - Germany
Multi-stakeholder expert group to support the application of Regulation (EU)
2016/679
QUESTIONS TO PREPARE THE STOCK-TAKING EXERCISE OF JUNE 2019 ON THE
APPLICATION OF GDPR
1. General comments a. For members representing businesses: please explain
what were the main issues experienced by the organisations you represent in
complying with the GDPR.
ZDH:
1. Record of processing activities: According to article 30 GDPR, the obligation for
establishing a record of processing activities does not apply for enterprises or
other institutions that employ less than 250 employees unless their processing is a
risk for rights and freedom of people or the processing takes place frequently or
there is processing of special data categories. Due to additional restrictions the
exception rule does not apply to any company that actually has employees.
Every employer inevitably processes specific health data (e.g. absence due to
illness) or data about religious confession for tax calculations. In addition, the large
majority of companies do not fulfil the condition “not just occasional processing”.
Every small company processes the data of their customers every day.
Consequently, not one single company falls under the exception.
2. Information requirements: Need for a more consistent “risk-based approach”.
3. Certification: Because of high costs certifications are not financially attractive
to SMEs. In sectors with less data processing like the crafts sectors moderate
expertise and process requirements should be sufficient.
4. Data protection officer: Some companies, e.g. garages that carry out the
exhaust emission test, act as a public body in this capacity and therefore
generally need a data protection officer. However, the obligation to nominate a
data protection officer should only apply if it’s the companies’ core activity to
process personal data.
b. For other members: please explain what were the main issues your stakeholders
experienced, or you have observed, on the application of GDPR.
2. Impact of the GDPR on the exercise of the rights
a. How have the information obligations (in Articles 12 to 14) been implemented?
Has there been a change of practices in this respect?
ZDH:
The information obligations are not in line with the risk-based approach. In
general, all companies are obliged to provide information to the customers about
22the legal basis of data processing, when the data is being deleted and that the
customer has a correction right, a deleting right and a right of appeal. However,
the full information obligations are not proportionate in case of low-risk data
processing by craft companies which does not have a significant impact for the
customers. For low-risk data processing activities the information obligations
should be rather transformed into a right of information on the side of the
customer. This means, that the customer should get the information on the legal
basis and his rights etc. only when he asks for it.
b. Is there an increase of requests (where possible provide estimates):
i. to access data? No.
ii. for rectification? No.
iii. for erasure? No.
iv. to object? No.
v. for meaningful explanation and human intervention in automated decision
making? No.
c. Are there requests on data portability? No.
d. On which rights do these requests mostly relate to? /
e. Are there any difficulties in the application of the rights (by controllers, by DPAs),
including for meeting the deadlines for responding to the requests? No.
f. What percentage of the requests was manifestly unfounded or excessive?
Please describe why these requests were unfounded or excessive.
3. Impact of Article 7(4) regarding the conditions for valid consent on your business
model/consumers a. Are there any issues with the use of consent as legal basis for
specific processing operations? (e.g. complaints received) When requesting
consent, how did individuals respond? No.
b. Have organisations switched the legal ground for processing from consent to
another legal ground? No.
c. How are businesses addressing the issue of tied consent? How are they
distinguishing between contract as legal basis and consent?
ZDH: They do it the way they did before.
4. Complaints and legal actions
a. Are there any complaints against your organisation(s) submitted before DPAs?
No.
b. Are there any court actions against your organisation(s)? No.
5. Use of representative actions under Article 80 GDPR:
23a. Are you aware of representative actions being filed against your organisation(s)
or in your Member State? As an organisation representing civil society, have you
filed representative actions in any Member State? No.
b. What types of representative actions (complaint to DPA or to court, claim for
compensation)? In which country/ies?
c. Against whom and for which types of infringements of GDPR?
6. Experience with Data Protection Authorities (DPAs) and the one-stop-shop
mechanism (OSS):
a. Are there any difficulty experienced in the dealings with DPAs (by
individuals/businesses)?
ZDH:
In Germany, the data protection authorities are federally structured, i.e. each
“Bundesland” has its DPA in addition to the national DPA. The experiences are
very different according to the DPA. There are DPAs who work together with
companies to find practical solutions. Other DPAs interpret the GDPR in a very
dogmatic and strict way. The biggest difficulty for companies, however, is that the
practice of the supervisory authorities is very heterogeneous. Companies
operating nationwide are confronted with different demands. This means that the
idea of a uniform data protection law in Europe already fails in Germany because
of the federal supervisory structure. This problem is even aggravated by 16
different data protection laws, which adapt the GDPR to the particularities of
each “Bundesland”. The data protection rules are largely the same, but differ in
details from each other which makes it very complicated for companies to
comply with the rules.
b. Are there difficulties in obtaining advice or guidance material by the DPAs?
ZDH:
There is a lot of information for businesses on the websites of the DPAs. The range
of information differs but it is in general sufficient. Because of the amount of
questions it takes sometimes a long time to get answers from DPAs.
c. Are DPAs following up on each complaint submitted, and in a timely manner?
ZDH:We don’t have any experiences with this point.
d. How many of your business members have declared a main establishment to
a DPA and benefit from a Lead Authority? Have they experienced difficulties with
the functioning of the OSS?
ZDH:We don’t have any numbers or experiences in this regard.
24e. Do you have experience with the designation of representatives of controllers
or processors not established in the EU? No.
f. Are you aware of guidelines issued by national DPAs supplementing or
conflicting with EDPB guidelines? (please explain) No.
7. Experience with accountability and the risk-based approach (for members
representing businesses):
a. What is the feedback from your members on the implementation of
accountability? And their experience with the scalability of obligations (e.g. Data
Protection Impact Assessment for high risks, etc.)?
ZDH:See answers to questions 1 and 2.
b. What are the benefits/challenges of GDPR in your line of business?
ZDH: The main challenge is to fulfil the information obligations in the right way and
at the foreseen time. There are no benefits for crafts companies.
c. What do you think the overall impact of GDPR will be on your organisation's
approach to innovation?
ZDH: The implementation of the GDPR and the ongoing effort to fulfil the legal
obligations take a lot of time. This time and effort could be better used to create
innovation and to further develop the business.
d. In which area did your organisation have to invest most in order to comply with
the GDPR? How useful do you consider this investment for the overall performance
of your organisation?
e. To which extent could your organisation rely on existing technical and
organisational measures or did you establish a new data management system?
ZDH: The GDPR doesn’t bring many new aspects or rules for German businesses.
The information obligations are the main issue.
f. Do your members experience an increase of awareness and of trust of their
customers due to the implementation of technical and organisational measures
to comply with the GDPR? No.
8. Data protection officers (DPO):
a. Did the organisations you represent designate a mandatory DPO pursuant to
Article 37(1) GDPR? No.
b. Did the organisations you represent designate a mandatory DPO pursuant to
national law implementing Article 37(4) GDPR? Please specify which national law
and for which situations.
25ZDH: In Germany each business has to designate a DPO if it has more than 10
employees who constantly act with data (§ 38 Bundesdatenschutzgesetz).
c. Did the organisations you represent designate a DPO on their own initiative,
without being required to do so by the GDPR or by national law?
d. Did associations or other bodies representing categories of controllers or
processors designate data protection officers?
e. What is the experience of the organisations you represent with the performance
of DPOs?
ZDH:In general, DPOs can be helpful to fulfil legal obligations. But in most cases
concerning the crafts sector the mandatory designation of a DPA is not necessary
because crafts companies have a low risk of violating data protection rules and
are able to fulfil the legal obligations without a DPA.
9. Controller/processor relationship (Standard Contractual Clauses)
a. What is the experience of the organisations you represent on the adaptation
of current contracts?
ZDH: The requirements of the GDPR and the German data protection law are very
similar. In so far it was only necessary to adopt some formal aspects.
b. Is there a need for the adoption of standard contractual clauses under Article
28(7) GDPR? Explain what are the main reasons.
ZDH: No. There are many model terms/clauses and model contracts for free that
can be used. So there is no need for such standard contractual clauses.
c. If standard contractual clauses were to be prepared, what elements and
specifications should be included? (e.g. auditing, liability allocation, duty of
cooperation, indemnification)?
d. Do you have suggestions in terms of how to ensure the “user-friendliness” of
such standard contractual clauses?
e. In case you have drafting suggestions for specific clauses, please share.
10. Adaptation/further development of Standard Contractual Clauses (SCCs) for
international transfers.
ZDH: We don’t have any numbers or experiences in this regard.
a. What are your practical experiences with the existing SCCs: Do they serve the
purpose? If not, where do you see room for improvements? Have you
encountered any problems in using the existing SCCs?
26b. Do you see a need to adapt the existing SCCs, generally and/or in the light of
the GDPR? (e.g. different structure/design? additional safeguards? combination
with Art. 28 standard contractual clauses for processors?)
c. Do specific clauses require further clarification (e.g. auditing, liability allocation,
duty of cooperation, indemnification)?
d. Is there a need to adapt the SCCs in light of the Schrems II court case
(concerning access by third country authorities), e.g. with respect to
monitoring/reporting obligations on the data importer/exporter? Do you have
suggestions on ways and means to strengthen the possible control by the data
exporter vis-à-vis the data importer and the measures to enforce such control
(e.g. not only suspending the transfer of data but actually recalling the data
already transferred?) Do you have any other suggestions on how to further
strengthen data protection safeguards and control mechanisms (including by the
DPAs) with regard to government access?
e. Is there a need to develop new SCCs, e.g. for the processor/sub-processor
relationship, joint-controllership, processor-to-controller relationship or specific
processing operations?
f. Do you have suggestions in terms of how to enhance the “user-friendliness” of
SCCs?
g. In case you have drafting suggestions for specific clauses, please share.
11. Have you experienced or observed any problems with the national legislation
implementing the GDPR (e.g. divergences with the letter of GDPR, additional
conditions, gold plating, etc.)?
ZDH: Please see our answer to question 8 b).
27WKÖ - AUSTRIA
DSGVO-„Bestandsaufnahme“
Einleitung
Eingangs ist auszuführen, dass Evaluierungsmaßnahmen für bestehende
Regulierungen (welcher Art auch immer) jedenfalls zu begrüßen sind. Derartige
Evaluierungsmaßnahmen sollten allerdings nicht nur „am Papier“ durchgeführt
werden, sondern tatsächlich Eingang in bestehende und insbesondere künftige
Rechtsetzungsmaßnahmen finden.
In diesem Zusammenhang ist auch auf die in Verhandlung befindliche ePrivacy
Verordnung (Verordnung über die Achtung des Privatlebens und den Schutz
personenbezogener Daten in der elektronischen Kommunikation und zur
Aufhebung der Richtlinie 2002/58/EG) hinzuweisen. Problemstellungen, die dort
thematisiert werden, hätten auch im Rahmen der Erstellung der EU-Datenschutz-
Grundverordnung (DSGVO) berücksichtigt werden können und hätte man damit
ein einheitliches europäisches Datenschutz-Regelwerk, welches tatsächlich
technologieneutral und für alle Player anwendbar gewesen wäre, schaffen
können. Diese Möglichkeit besteht nach wie vor, würde man die
Evaluierungsmaßnahmen nutzen, um die DSGVO tatsächlich nochmals
anzupassen. Diesen Vorschlag möchten wir jedenfalls unterstreichen.
Weiters regen wir an, die Erkenntnisse aus dieser Evaluierung – unabhängig davon,
in welcher Form diese durchgeführt wird – der Öffentlichkeit zur Verfügung zu
stellen. Bestenfalls sollte auch die Kommission die ihr übermittelten Erkenntnisse
darlegen.
Seitens der Bundessparten und Landeskammern wurden folgende Erfahrungen
von Mitgliedsunternehmen mit der DSGVO mitgeteilt (Stand März 2019):
1. Allgemeine Kommentare im Zusammenhang mit der Einhaltung der DSGVO:
Zu den Kosten/Mehrbelastungen:
Angesichts der Rückmeldungen, die wir erhalten haben, waren sowohl die
Umstellungskosten als auch die laufenden Kosten, mit denen gerechnet wird bzw
werden muss, hoch. Dies deshalb, da üblicherweise bei der Einführung neuer
Produkte oder Dienstleistungen auch eine umfassende Folgenabschätzung uÄ
durchgeführt werden muss. Die Mehrbelastung durch die DSGVO ist deutlich
gestiegen, da sich dieses Thema über alle Unternehmensbereiche zieht. Konkrete
Zahlen wurden bislang nicht genannt.
Gerade im technischen Bereich (IT) müssen viele Betriebe Know-How zukaufen.
Auch der Betrieb bzw die Wartung der eigenen Website wurde aufgrund der
DSGVO von vielen Mitgliedern ausgelagert. Die Fördermöglichkeiten decken
28dabei meist nur einen Bruchteil der Kosten ab. Zur Rollenverteilung
(Verantwortlicher/Auftragsverarbeiter, Begriffsbestimmung Art 4 Z 7 und 8):
Aufgrund unterschiedlicher Meinungen, Bescheide und Auslegungen kommt es
hierbei in der Praxis immer wieder zu Schwierigkeiten in der Einstufung.
Oftmals besteht in der Praxis Rechtsunsicherheit darüber, welche
Verarbeitungstätigkeiten als Verantwortlicher und welche als Auftragsverarbeiter
vorgenommen werden.
Nach der Rückmeldung der Bundessparte Bank und Versicherung wird in diesem
Zusammenhang die Information des Bayrischen Landesamts für
Datenschutzaufsicht befürwortet, wonach Auftragsverarbeitung im
datenschutzrechtlichen Sinne nur in Fällen vorliegt, in denen eine Stelle von einer
anderen Stelle im Schwerpunkt mit der Verarbeitung personenbezogener Daten
beauftragt wird („Schwerpunkt-Theorie“). Die Beauftragten mit fachlichen
Dienstleistungen anderer Art, dh mit Dienstleistungen, bei denen nicht die
Datenverarbeitung im Vordergrund steht bzw bei denen die Datenverarbeitung
nicht zumindest einen wichtigen (Kern-)Bestandteil ausmacht, stellt keine
Auftragsverarbeitung im datenschutzrechtlichen Sinne dar.
Zu den Grundsätzen der Verarbeitung (Art 5):
Fragen wirft auch der Grundsatz der Speicherbegrenzung auf. Die teilweise von
den Mitgliedstaaten unterschiedliche Handhabe mit Aufbewahrungsfristen und –
möglichkeiten ist für einzelne Unternehmer schwierig nachzuvollziehen. In diesem
Zusammenhang bereitet auch nach wie vor die Frage nach der Rechtmäßigkeit
von Datensicherungssystemen (zB auch Backups, aber auch Archivsysteme)
Kopfzerbrechen.
Zur Verarbeitung besonderer Kategorien von Daten (Art 9):
Art 9 zählt abschließend die Rechtmäßigkeitsgrundlagen für die Verarbeitung von
„sensiblen Daten“ auf. Hier fehlt im Unterschied zu den
Rechtmäßigkeitsgrundlagen nach Art 6 insbesondere die
Verarbeitungsmöglichkeit aufgrund von berechtigten Interessen (Art 6 Abs 1 lit f)
und jene zur Vertragserfüllung (Art 6 Abs 1 lit b). In der Praxis kommt es oft vor, dass
für die Erfüllung eines Vertrags auch sensible Daten verarbeitet werden müssen.
Für eine derartige Vertragserfüllung müsste nun nach dem Wortlaut des Art 9 auch
eine ausdrückliche Einwilligung zur Datenverarbeitung eingeholt werden. Das
stellt einige Branchen vor große Probleme, da die bisherigen Verträge derartige
Einwilligungen nicht vorsahen.
Beispiele: Bilanzbuchhalter benötigen auch sensible Daten (Krankenstände,
Religionsbekenntnis) um eine Lohnverrechnung durchführen zu können;
Krankenschwestern müssen Einsicht in die Krankenakte nehmen, um die passende
Medikation vorbereiten zu können; Versicherungsmakler, deren gesetzlicher
Auftrag es ist, die Interessen ihrer Kunden gegenüber dem Versicherer zu wahren
(§§ 27, 28 MaklerG), haben zum Teil auch sensible Daten zu speichern und zu
verarbeiten.
29You can also read
