Legal: Orgalim input on the GDPR review and evaluation
In light of the upcoming GDPR review and evaluation, foreseen for June 2020, Orgalim would like to share its views with the European Commission. Given that it has only been two years since the GDPR came into force, Orgalim does not see a need to modify it. We believe a revision at this stage would undermine legal certainty, vital to the functioning of our companies, and especially SMEs. Moreover, the precise impact of the GDPR still needs to be further analysed.
However, Orgalim would like to put forward the following recommendations:
-
Mixed data sets: increasingly, our companies process mixed data sets. For instance, machines collect data on machines’ performance and operations. Sometimes, this data also records how these machines are driven and used by the company’s workers. The ability to connect data to individuals constitutes a personal data dimension to a data set. The ability to use machine-generated data to the fullest extent is key for our companies, as this data is essential for predictive maintenance and resource optimisation, which links to meeting green targets. Therefore, we believe that a lighter process should apply to mixed data sets, rather than the full application of the GDPR. At least, the requirements of the GDPR should be very clear as to processing of these data sets. The European Commission guidance1 on this topic should be more flexible.
-
Innovation: Article 22 of the GDPR has been interpreted as a general prohibition to automated decision-making. This could hamper innovation and put a halt to Europe’s ambitions to lead in AI. In this respect, the existing European Data Protection Board (EDPB) guidelines on automated decision-making should be revised so as to enable automated decision-making.
-
SMEs: We would like to see EU guidelines, specifically aimed at helping SMEs with their GDPR compliance. In particular, the extent of some obligations for SMEs; for example, the recording of processing activities, and the need to appoint a Data Protection Officer, should be clarified. Up to this point, the requirements and cost of compliance have in many cases exceeded the benefits for SMEs. The EDPB should try to create more clarity – especially on requirements for industrial SMEs processing only necessary data related to employees and customers.
-
Harmonisation: Full harmonisation is needed in order to prevent fragmentation of the internal market. In line with the spirit of the GDPR, the EDPB’s coordination role should be strengthened. This is necessary to avoid instances where Data Protection Authorities in the EU Member States provide diverging national interpretation and guidance, and enforce the GDPR differently, thereby creating problems for our companies.
Please download the full position above.
Authors
Senior Adviser - Trade and Legal