Tuesday, November 6th, 2012

ESBA Letter to Lara Comi MEP on the General Data Protection Regulation

The Honourable Lara Comi

Member of the European Parliament 60, rue Wiertz
B-1047 Bruxelles

Tuesday, 6 November 2012

Re: ESBA and ACT’s concerns on the European Commission proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM (2012) 0011).

Dear Ms. Comi,

We are writing to you in your capacity as rapporteur responsible for the opinion of the European Parliament Committee on the Internal Market and Consumer Protection regarding the General Data Protection Regulation. By means of this letter, the European Small Business Alliance (ESBA) and the Association for Competitive Technology (ACT) express their concern about the effect on micro- and small businesses of certain elements of the current text.

ESBA and ACT recognise the need to revise the current data protection rules and welcome the initiative by the European Commission to change the regulatory framework in this regard. The proposal is however drafted in such a fashion that it leads to excessive administrative and financial burdens for micro- and small businesses. It does not give legal clarity nor does it provide legal certainty. Furthermore, it is not easily implementable by SMEs.

We have duly taken note of your draft opinion on behalf of the European Parliament Committee on the Internal Market and Consumer Protection. We support the focus of your report on consistency, rights of the data subject, obligations of the data controller and the aim to establish clear definitions. Furthermore, we welcome the fact that the report addresses the uncertainty accompanying the wide variety of delegated acts, as well as the practical implications of the provisions.

Representing the voice of over one million micro- and small businesses, we do however need to warn for the potentially harmful effect on SMEs of certain amendments.

In particular, we are concerned by the following two amendments:

Amendment 67 to article 35: deletion of reference to an enterprise employing 250 persons or more; relating to cases where a data protection officer needs to be designated.
Amendment 57 to article 25: deletion of reference to enterprises employing fewer than 250 persons; relating to cases where data controllers are not established in the Union.

A mere deletion of the envisaged exemption of small and medium-sized enterprises to designate a Data Protection Officer will impose a disproportionate administrative and financial burden on small businesses. We therefore propose to clarify the conditions under which an SME is obliged to designate a Data Protection Officer. To this effect, we suggest amending article 35 (1a) as follows:

Article 35 (1a):

The SME controller and the processor shall designate a data protection officer only where:

The treatment of data by the SME falls outside the scope of ancillary activity[1] and where the core[2] activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.

Along the same line of reasoning, adaptations are justified to the proposal of the European Commission in cases where data controllers that are based outside the Union need to appoint a representative. In this case, we propose to establish a threshold of sales that are generated by the SME as the determining factor.

ESBA and ACT are fully committed to working towards a system where the individual rights of consumers are protected without hampering the growth of micro- and small enterprises. A well-designed General Data Protection Regulation has the potential to increase consumer trust, spur the uptake of the Digital Single Market and contribute to growth and jobs in the EU.

In order to ensure that the interests of micro-, small and medium-sized businesses are properly taken into account in the new Data Protection framework, ESBA and ACT have jointly created a set of amendments to establish a single article covering the duties for SMEs. This set of amendments will clearly establish the responsibilities of SMEs. Our suggested amendments will therefore contribute to the objectives that are clearly stated in your report of opinion. They will establish clarity, certainty and simplicity – thereby ensuring a high level of consumer protection without jeopardising business growth.

Please find attached to this letter our complete set of amendments. In line with the objectives that are expressed in your report of opinion, we urge you to take the recommendations into account.

With kind regards,

David Caro Jonathan Zuck

President, European Small Business Alliance President, Association for Competitive Technology

[1] Ancillary activity should be defined as business or non-trade activity that is not associated with the core activities of a firm. In relation to data protection, data processing activities which do not represent more than 50% of company’s turnover shall be considered ancillary.

[2] Where 50% of annual turnover resulting from sale of data or revenue gained from this data (e.g. ad services).

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.