Useful Information for Small Companies From the Bavarian Data Protection Authority (BayLDA)
April, 2018 - Lutz Martin Keppeler
The Bavarian data protection supervisory authority has prepared a series of template documents and overviews, intended to help small companies with GDPR compliance. At first glance, these documents do indeed provide important support for small companies. These have to fulfil almost all obligations under the GDPR in a similar manner to medium-sized businesses and large corporations. However, a closer look shows that the documents also contain interesting general statements that are of importance for companies of all sizes. The general statements are supposed to be at the forefront here; however, the help for small companies is also explained.
FROM THE ONLINE SHOP TO THE BAKERY
Unlike many documents from the data protection supervisory authorities, the information for small companies actually concerns itself with very specific individual cases, and defines data protection requirements for - among others - the following types of company:
- Tax consultants
- Medical practices
- Cooperative banks
- Online shops
to name just the most relevant examples. The documents also include detailed information for "microenterprises" such as a bakery or a motor-vehicle workshop. Not least, this spectrum shows the following: without exception, all companies are affected by the GDPR and must make serious efforts to implement the corresponding requirements.
OVERVIEW OF THE GDPR REQUIREMENTS
For most types of small company, the BayLDA provides both a specimen record of processing activities as per Art. 30 GDPR, as well as a respective two-page document with information on ten particularly important requirements under the GDPR. For example, an explanation is provided for all companies to the effect that contracts for processing must be concluded in accordance with Art. 28 GDPR. In the case of online shops, for example with a hosting provider, a payroll accounting company and a payment service provider.
RECORDS OF PROCESSING ACTIVITIES
It is precisely the extensive preparation of records of processing activities that creates the particularly high bureaucratic workload related to data protection compliance. The BayLDA i makes no exception for small companies. The question of whether companies have to prepare a record of processing activities is affirmed for all companies, although generally speaking all companies described by the BayLDA have considerably less than the 250 employees stated in the exemption provision of Art. 30 (3) GDPR. Ultimately however, the BayLDA is of the opinion that corresponding counter-exceptions under Art. 30 (3) GDPR are given in all cases. In this respect, the BayLDA bases its position predominantly on the fact that all companies stated - including the bakery - "regularly" (i.e. more frequently than "only occasionally" as defined in Art. 30 (5) GDPR) process personal data, and are therefore required to prepare a record of processing activities. As a form of "mediating solution", the BayLDA then however provides very short and generic templates for such records. These typically do not fill more than one DIN A4 page. Even if the information content of these records is very low, it can easily be argued that all requirements under Art. 30 GDPR are in fact met. However, such a "minimum record" can hardly be used to prepare an actual-state analysis of the data processed. Without additional knowledge, it is likewise not possible to derive from the records which compliance gaps still have to be closed in order to achieve full GDPR compliance. Against this background, extended records of the processing activities remain an indispensable central compliance document for larger companies. The minimum templates are therefore worth their weight in gold for possible future defense measures against higher official requirements - above all in Bavaria. The BayLDA does not establish any connection to the template for records of processing activities as per Art. 30 GDPR, first published by the DSK (Data Protection Conference) in mid-February which is significantly longer than the templates from Bavaria.
EVERYBODY HAS TO DELETE
It is becoming increasingly clear from the data protection supervisory authorities and is now also being reflected in the requirements for small companies: no company will be able to avoid deleting personal data - following the expiry of all retention periods. If this applies even to the motor-vehicle workshop and the bakery, it must certainly be taken seriously by larger companies. Within the scope of a data protection audit, it is far too easy to ascertain that old data have thus far not been systematically deleted to make this a risk worth taking. This is likely to be one of the last warnings for larger companies that have not yet prepared a deletion concept.
DATA PROTECTION IMPACT ASSESSMENT
A further interesting fact is that none of the small companies is expected to carry out a data protection impact assessment. Here, the argument put forward by the BayLDA is quite simply that data processing does not generally involve a high risk. This applies even despite the fact that each of the companies described has employees, and as such processes special categories of personal data as per Art. 9 GDPR. In the opinion of the BayLDA, even a described production company with 40 employees that operates video surveillance is not required to carry out a data protection impact assessment overall.
This shows that Bavaria apparently applies higher thresholds than those resulting from the corresponding recommendation of the Art. 29 Working Party. This should not prompt anybody to take unnecessary risks: in case of doubt, it is advisable to document a data protection impact assessment rather than to dispense with it. Nevertheless, the BayLDA information for small companies also offers very interesting arguments on this point that will be helpful in future in cases of doubt in the context of proceedings against data protection supervisory authorities.