VSEs & SMEs: How can I assess my personal data management in relation to the GDPR?

ALTO, a GDPR self-assessment tool

The CNPD, in collaboration with the Luxembourg House of Cybersecurity, the National Cybersecurity Competence Center (hereinafter the "LHC-NC3"), aims, within the framework of the "DAta Protection CompLiance SupporT TOolkit" project (hereinafter the "ALTO Project"), to respond to the challenges of start-ups and small and medium-sized enterprises established on the territory of the Grand Duchy of Luxembourg (hereinafter the "SMEs") in the context of compliance with the GDPR.

The objective of the ALTO project is to provide SMEs with a simple, intuitive and free self-assessment tool enabling them to integrate the GDPR obligations into their activity. The focus will be on the fundamental principles set out in the GDPR as well as the reinforcement of the respect of individuals' rights in the context of the personal data processing envisaged and in progress. ALTO is aimed at all SMEs that need to comply with the GDPR, both as data controllers and data processors.

The CNPD's aim is to support SMEs in assessing, maturing and maintaining their compliance with the provisions of the GDPR. Compliance will enable these major players in the national economy to improve their transparency and thus consolidate consumer confidence.

In order to ensure the realization of the ALTO project, the CNPD naturally joined forces with the LHC-NC3, which has already demonstrated a strong interest in raising awareness among SMEs on cybersecurity and privacy issues through its Fit4Cybersecurity and Fit4Privacy tools.

ALTO will be a self-assessment tool that can also be replicated in other Member States as it is based on open-source software and the GDPR, a European regulation of uniform application for all SMEs established on the territory of the European Union. As such, ALTO is a project selected by the European Union in the framework of the call for projects launched in 2021 for national data protection authorities and aimed at supporting citizens' engagement, equality for all and the implementation of EU rights and values (for more information, click here).

Am I impacted by the GDPR?

The European Data Protection Regulation (GDPR) impacts all companies, regardless of size and type of activity (including SMEs):

  • if they collect, store, use personal data.

In this case, companies are "data controllers".

  • if they process personal data on behalf of other organizations.

In this case, companies are "processors".

For SMEs, some requirements are more flexible, in particular as regards the appointment of a data protection officer.

More information: The CNPD offers a 7-step preparation guide to help organizations comply with the GDPR.

What is a data controller and what is a data processor?

The controller is the company or entity that decides why or for what purpose personal data are collected and used and how these personal data are processed. In other words, the controller decides on the purposes and means of data processing.

When two companies jointly decide on the means and purposes, they are joint controllers. The joint controllers must determine who will assume the obligations towards the data subjects and they must make this known to the data subjects.

A processor is a company or other entity that processes personal data solely and exclusively on behalf of and on the instructions of another company. Note that processing by a processor shall be governed by a contract or other similar legal act.

Does a processor need to comply with the GDPR?

Processors, i.e. persons or organizations that process data on behalf of a controller in the context of a service or provision, must comply with the GDPR just like controllers.

More information: The European Data Protection Board (EDPB) provides guidelines on the concepts of "Controller" and "Processor" in the context of the GDPR.

How to ensure the respect of the data subject’s rights?

The GDPR provides for specific rights for individuals that an SME must respect, in particular:

  • By informing people at the time when personal data are collected by means of notices to be included in employment contracts, forms and/or questionnaires, which may in particular refer to a data protection policy;
  • By replying to requests of data subjects whose data is being processed and who exercise their rights, including the rights of access, rectification, opposition and/ deletion, whether they are customers, employees and/or service providers.

Companies that are transparent about their use of personal data and respect data subject's rights are less likely to raise criticism (e.g. on social networks) or be exposed to complaints to the CNPD.

More information: The CNPD has published a brochure and a dedicated website that answers frequently asked questions.

Do SMEs need to appoint a data protection officer?

An SME, both as a controller and as a processor, is obliged to appoint a DPO if its tasks mainly consist of regular and systematic large-scale monitoring of data subjects and/or large-scale processing of "sensitive" personal data.

In all cases where the appointment is not mandatory, it is nevertheless recommended to appoint a DPO.

Who can act as DPO?

An internal employee of an SME with sufficient knowledge of the GDPR if the employee's professional duties are compatible with those of a DPO and if this does not give rise to conflicts of interest, or an external person. The DPO must in any case be able to perform his or her tasks independently and must be able to report directly to the highest level of management.

More information: The CNPD has made a declaration form available online as well as a dedicated website that answers frequently asked questions.

Do SMEs have to keep a register of processing activities?

Any company that processes personal data - with the exceptions listed below - must in principle keep a register of processing activities for all processing activities done as a controller. This register is a kind of inventory of all processing activities and is useful to properly assess the obligations of the GDPR and the possible risks.

It should be noted that for companies with less than 250 employees, a register is not required as long as it does not perform processing operations that might pose a risk to concerned data subjects, processing of sensitive data or processing operations that are integrated into the day-to-day running of the company, such as the management of staff, customers and suppliers.

In any case, each company must regularly evaluate all processing operations and, if necessary, complete or adapt the register of processing activities.

More information: The CNPD has set up a dedicated website which answers frequently asked questions.

Dernière mise à jour