GDPR: not my concern! Wrong or right?
Antwerp, May 2018
I got tired of all those e-mails trying to scare me for the upcoming entry into force on 25 May 2018 of the General Data Protection Regulation (GDPR) (2) for the purpose of trying to sell me a book, a subscription, a seminar, or legal services. This European Regulation imposes a number of duties and restrictions in respect of personal data.
The first question, really is, whether you should at all bother about the GDPR. Most have a good specific reason to believe the GDPR is of utmost importance for others, but not for themselves. Try to find your good reason hereunder, and check how “good” it is.
Further, you may want to find out whether we violated or not the GDPR upon addressing you this bulletin per e-Mail. You will find the answer somewhere below.
Regulated Profession and Privileged Information
To begin with our own profession, “this Regulation for sure does not apply to lawyers, because we are already bound by a duty of secrecy.”
Article 21.1. (g) provides for possible restrictions of certain rights and duties by Union or Member State law necessary and proportionated to, among others, prevent breaches of ethics of regulated professions. So there may be restrictions but the GDPR is to a large extent also applicable to regulated professions, and provides for duties not included in the code of ethics of regulated professions.
No processing of personal data
“We are not involved, because, unlike a webshop, profiling, selling, and processing personal data is not our core business. In fact we have no personal data at all.”
An e-mail address, even merely professional, a recording at the entrance desk of a visitor, camera recordings, a job applicant’s resume, employee’s data, etc. are all, even taken separately, personal data in the meaning of the GDPR. Even company records contain personal data, and while at a certain point of time they must be public, such as the identification of directors, proxy holders, etc. there must also be a company policy on how to maintain these data, especially when they must no longer be public. In fact, any enterprise and any organisation does inevitably process personal data in the meaning of the GDPR.
“We are a small business and therefore it cannot be true that we are imposed all such complex duties.”
The small size of the enterprise (less than 250 persons employed) may, under conditions, exclude the enterprise from one duty only, i.e. maintaining a record of processing activities (article 30.5), but it does not, in general, exclude the enterprise from the scope of the GDPR.
Under the Radars
“I am too small, too discrete or of too little significance to become the subject matter of an control, investigate or fining.” Or, “the enforcement authorities have too small budgets and will not find me, because they will not even be able to handle those whose core business it is to handle personal data.”
In general it is not a good idea to rely on the likely lack of enforcement for violating the law. Further, the enforcement authorities will not only determine their targets themselves, but will also investigate on the basis of complaints. A violation may make you very vulnerable to unhappy customers or bad losers.
Not within the European Union (EU)
“We are not established within the EU, so it cannot be true that we have to comply with a EU Regulation.”
Alike the EU competition laws, the GDPR also imposes duties to enterprises outside the EU. Among others, the GDPR will, by virtue of article 3.2. apply to a non EU enterprise offering goods or services to data subjects in the EU or when it monitors behaviour within the EU.
“We are established in the UK, so we cannot be concerned by this European Regulation.”
Firstly, the place of establishment of the enterprise is not the sole criterion, as set out hereunder. Secondly, the GDPR will enter into force on 25 May 2018 that is when the UK will still be part of the EU. Thirdly, a bill is now under second reading in the House of Commons, so that, you should also watch this development to comply with statutory duties in respect of the protection of personal data.
Why complying and how compelling?
You have seen hereabove a number of wrong reasons for disregarding the GDPR. The good reason to comply, is first of all that it is good to comply with the law. Further, the amount of the fines are extraordinary, up to 4% of the violator’s worldwide turnover or €20,000,000 whatever is the highest. (article 83.5)
The duties to comply with, depending on a number of parameters (size of the enterprise, type of activity, type of processing of personal data), may be very light to rather compelling. But for most enterprises, it is rather light, and, except for complying with a number of formalities, it is likely to be no little more than writing down a very brief policy, which already exists but which is not expressed in any document. You may find that such policy, and reflection thereon, may be helpful, not only to comply with the GDPR but that such policy may be also otherwise necessary to protect your own interests.
Test your knowledge:
If you received this bulletin per E-Mail, did we violate or not the GDPR?
No, because we have sent you this Bulletin prior to the entry into force of the GDPR on 25 May 2018.
This bulletin is not a summary of a 88 page Regulation 2016/679, but it contains just a few questions, to test your awareness. It is by no means exhaustive.
Benoît Goemans, advocate
direct phone: + 32 3 231 54 36
This Bulletin is not a legal opinion. It cannot take into account all specific cases. It should not cause, influence or induce a business decision. This bulletin does not discuss all issues which may arise in a particular case. You should not hesitate to contact us. We will usually be able to quickly give a first direction to your query or spot the issues on the basis of specific facts. We do not charge fees until we advise so and you consent thereto.
 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ, 4.5.2016, L 119/1.