In order to ensure compliance with the GDPR and gather valuable information about the difficulties they face, NAIH was operating an email hotline for SMEs between 15 March 2019 and 15 March 2020 to assist them in the compliance with the GDPR. In this period NAIH had provided information for SMEs throughout the European Union in respect of the interpretation and proper application of the GDPR.
The SME hotline was maintained at NAIH premises, infrastructure (office, web interface, etc.) and necessary workforce (hotline administrator, hotline expert, DP experts, professional supervisor) was provided by NAIH.
A data protection notice and internal rules for the operation of the hotline (including deadlines, conditions of assistance, liability issues) had also been prepared. The internal rules for the operation (Memorandum) of the hotline laid down the tasks of the engaged personnel, the internal policies (including deadlines, conditions of assistance, languages used, etc.) and it covers liability issues as well.
The Memorandum also laid down the detailed rules for the responses given. The responses shall be formulated so as to not only include the mere repetition of the provisions of law, but also to provide graspable assistance in the interpretation of law applicable relevant to the merit of the question, and to highlight the relevant aspects in the application of law related to the given question, the factors to be considered among them, and their significance. The answer shall contain no opinion as to the lawfulness of any concrete data processing.
To support the fulfilment of the SME hotline task the NAIH developed a Knowledge Base on the basis of the law-
The NAIH has experienced a high interest among SMEs during the hotline’s operation, 252 questions was answered, but it must be noted that only one e-
The highest number of questions received from SMEs concerned the GDPR compliance of the concrete processing activity of the SME, followed by the video surveillance, the personal data of employees’, and the rights of the data subjects, then the legal basis of the data processing, the record of processing activities, scope of GDPR and the data protection policy.
The issues received were sorted into three categories by difficulty:
1. Simple issues (Shall an SME keep record of its processing activities?)
2. Medium (Based on its activity does the SME count as a data controller or a data processor?)
3. Complex issues (Under which circumstances shall the biometric data of employees’ be processed?)
Based on the questions SMEs most frequently asked the hotline and the responses given an innovative handbook for SMEs on EU data protection law will be prepared. This handbook will accustom SMEs to the GDPR, and help them ensure that they are GDPR compliant.
Based on the high number of questions received and the on the positive feedbacks, the SME hotline has reached its goal and supported the GDPR compliance of the SMEs successfully.
The SME hotline is operated by the National Authority of Data Protection and Freedom of Information under the STAR II project (Support small and medium enterprises on the data protection reform II; 2018-