Do I, as a small business, have to comply with the GDPR?
March 18, 2023 | 50,00 EUR | answered by Andrea Schlattmann
Dear Data Protection Lawyer,
I am Maria Eberstark, owner of a small business in the field of event planning. In recent weeks, I have heard more about the General Data Protection Regulation (GDPR) and now wonder if my small business is also required to comply with the GDPR.
Currently, I store customer data such as names, contact information, and possibly special requests or preferences of my customers in an Excel spreadsheet on my computer. Additionally, I regularly send newsletters to my customers to inform them about new offers and events. Personal data is also processed in this regard.
I am concerned that I may be violating the GDPR and could face legal consequences as a result. As a small business, I unfortunately do not have the resources to fully inform myself about the requirements of the GDPR and implement appropriate measures.
Therefore, my question to you as an expert in data protection law: Do I, as a small business, need to comply with the GDPR? What specific steps do I need to take to ensure that I comply with data protection regulations? Are there any exceptions or simplifications for small businesses like mine?
Thank you in advance for your support and advice on this matter.
Sincerely,
Maria Eberstark
Dear Mrs. Eberstark,
Thank you for your inquiry regarding the General Data Protection Regulation (GDPR) and your associated concerns as the owner of a small business in the event planning sector. It is understandable that the GDPR poses a significant challenge for many companies, especially those with limited resources.
Yes, even as a small business, you are required to comply with the GDPR. The GDPR applies to all companies, regardless of size, that process personal data. This includes the customer data you mentioned, which you store in your Excel spreadsheet and use for sending newsletters.
To ensure compliance with data protection regulations, you must first create a GDPR-compliant data protection policy. This policy should transparently outline what personal data you collect, for what purpose you use it, how long you store it, and how you protect it. Additionally, you should ensure that your customers' data is securely stored, for example, through password protection or encryption.
Furthermore, you must ensure that you have a legal basis for processing customer data. For newsletters, for example, you need your customers' consent. This consent should be explicit and voluntary, and your customers should have the option to revoke it at any time.
However, there are also exemptions and simplifications for small businesses under the GDPR. As a company with fewer than 250 employees, you may be exempt from the documentation obligation if the processing of personal data does not pose a high risk to the rights and freedoms of individuals. Nevertheless, you must still adhere to the basic principles of the GDPR such as transparency, purpose limitation, and data security.
It is recommended to conduct a data protection impact assessment to identify potential risks to your customers' data and take appropriate measures. Additionally, you should provide regular training for your employees on data protection to ensure they are aware.
I hope this information is helpful to you and I am available for further questions.
Sincerely,
Andrea Schlattmann, Data Protection Lawyer
